Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
QUOTATION.exe

Overview

General Information

Sample Name:QUOTATION.exe
Analysis ID:624514
MD5:dbffb4682e330d635295ccdd92fe99c4
SHA1:ba03bbac64d96bfbd3067803a8b08466b8fb0d3a
SHA256:011c5f305852ea8ef82a26bae0d7b6f59fd70f431b91edb25df06863e0001bc0
Tags:exeNanoCoreQuotation
Infos:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Antivirus detection for URL or domain
Yara detected Nanocore RAT
Snort IDS alert for network traffic
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • QUOTATION.exe (PID: 636 cmdline: "C:\Users\user\Desktop\QUOTATION.exe" MD5: DBFFB4682E330D635295CCDD92FE99C4)
    • QUOTATION.exe (PID: 1052 cmdline: C:\Users\user\Desktop\QUOTATION.exe MD5: DBFFB4682E330D635295CCDD92FE99C4)
  • cleanup
{"Version": "1.2.2.0", "Mutex": "fe56abb4-cb76-44f1-89b4-7bb11730", "Group": "Default", "Domain1": "deranano2.ddns.net", "Port": 1187, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
SourceRuleDescriptionAuthorStrings
00000005.00000002.641608734.0000000006B90000.00000004.08000000.00040000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x2205:$x1: NanoCore.ClientPluginHost
  • 0x223e:$x2: IClientNetworkHost
00000005.00000002.641608734.0000000006B90000.00000004.08000000.00040000.00000000.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x2205:$x2: NanoCore.ClientPluginHost
  • 0x2320:$s4: PipeCreated
  • 0x221f:$s5: IClientLoggingHost
00000005.00000002.641608734.0000000006B90000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
  • 0x227f:$x2: NanoCore.ClientPlugin
  • 0x2205:$x3: NanoCore.ClientPluginHost
  • 0x2295:$i3: IClientNetwork
  • 0x221f:$i6: IClientLoggingHost
  • 0x223e:$i7: IClientNetworkHost
  • 0x1f9f:$s1: ClientPlugin
  • 0x2288:$s1: ClientPlugin
00000005.00000000.411957545.0000000000402000.00000040.00000400.00020000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000000.411957545.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    Click to see the 70 entries
    SourceRuleDescriptionAuthorStrings
    5.2.QUOTATION.exe.6e90000.33.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x350b:$x1: NanoCore.ClientPluginHost
    • 0x3525:$x2: IClientNetworkHost
    5.2.QUOTATION.exe.6e90000.33.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x350b:$x2: NanoCore.ClientPluginHost
    • 0x52b6:$s4: PipeCreated
    • 0x34f8:$s5: IClientLoggingHost
    5.2.QUOTATION.exe.6e90000.33.raw.unpackMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
    • 0x34e2:$x2: NanoCore.ClientPlugin
    • 0x350b:$x3: NanoCore.ClientPluginHost
    • 0x34d3:$i3: IClientNetwork
    • 0x34f8:$i6: IClientLoggingHost
    • 0x3525:$i7: IClientNetworkHost
    • 0x334e:$s1: ClientPlugin
    • 0x34eb:$s1: ClientPlugin
    5.2.QUOTATION.exe.6e90000.33.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x170b:$x1: NanoCore.ClientPluginHost
    • 0x1725:$x2: IClientNetworkHost
    5.2.QUOTATION.exe.6e90000.33.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x170b:$x2: NanoCore.ClientPluginHost
    • 0x34b6:$s4: PipeCreated
    • 0x16f8:$s5: IClientLoggingHost
    Click to see the 232 entries

    AV Detection

    barindex
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\QUOTATION.exe, ProcessId: 1052, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    E-Banking Fraud

    barindex
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\QUOTATION.exe, ProcessId: 1052, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Stealing of Sensitive Information

    barindex
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\QUOTATION.exe, ProcessId: 1052, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Remote Access Functionality

    barindex
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\QUOTATION.exe, ProcessId: 1052, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
    Timestamp:192.168.2.6212.193.30.2044977411872816766 05/11/22-18:34:53.312719
    SID:2816766
    Source Port:49774
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.6212.193.30.2044985611872816766 05/11/22-18:36:21.786696
    SID:2816766
    Source Port:49856
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.6212.193.30.2044983111872816766 05/11/22-18:36:15.708740
    SID:2816766
    Source Port:49831
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:212.193.30.204192.168.2.61187497802810290 05/11/22-18:35:07.758520
    SID:2810290
    Source Port:1187
    Destination Port:49780
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.6212.193.30.2044980511872816766 05/11/22-18:36:01.158778
    SID:2816766
    Source Port:49805
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.6212.193.30.2044980011872816766 05/11/22-18:35:40.802538
    SID:2816766
    Source Port:49800
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.6212.193.30.2044977711872816766 05/11/22-18:35:01.955240
    SID:2816766
    Source Port:49777
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.6212.193.30.2044978711872816766 05/11/22-18:35:14.531508
    SID:2816766
    Source Port:49787
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.6212.193.30.2044979711872816766 05/11/22-18:35:34.087505
    SID:2816766
    Source Port:49797
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.6212.193.30.2044986211872816766 05/11/22-18:36:27.889829
    SID:2816766
    Source Port:49862
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.6212.193.30.2044980911872816766 05/11/22-18:36:07.741009
    SID:2816766
    Source Port:49809
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.6212.193.30.2044979711872816718 05/11/22-18:35:34.087505
    SID:2816718
    Source Port:49797
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.6212.193.30.2044980211872816766 05/11/22-18:35:47.819257
    SID:2816766
    Source Port:49802
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:212.193.30.204192.168.2.61187498622841753 05/11/22-18:36:36.975115
    SID:2841753
    Source Port:1187
    Destination Port:49862
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.6212.193.30.2044978011872816766 05/11/22-18:35:07.459686
    SID:2816766
    Source Port:49780
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.6212.193.30.2044979611872816766 05/11/22-18:35:26.904734
    SID:2816766
    Source Port:49796
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.6212.193.30.2044978811872816766 05/11/22-18:35:20.778412
    SID:2816766
    Source Port:49788
    Destination Port:1187
    Protocol:TCP
    Classtype:A Network Trojan was detected

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: 00000005.00000002.638035787.0000000003B21000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "fe56abb4-cb76-44f1-89b4-7bb11730", "Group": "Default", "Domain1": "deranano2.ddns.net", "Port": 1187, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
    Source: QUOTATION.exeReversingLabs: Detection: 17%
    Source: deranano2.ddns.netAvira URL Cloud: Label: malware
    Source: Yara matchFile source: 5.2.QUOTATION.exe.5c64629.21.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.QUOTATION.exe.3b38a28.13.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.QUOTATION.exe.3b2458d.12.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.0.QUOTATION.exe.400000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.QUOTATION.exe.3b3d051.11.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.QUOTATION.exe.3b38a28.13.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.0.QUOTATION.exe.400000.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.QUOTATION.exe.5c60000.22.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.0.QUOTATION.exe.400000.10.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.QUOTATION.exe.5c60000.22.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.0.QUOTATION.exe.400000.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.QUOTATION.exe.36095b8.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.0.QUOTATION.exe.400000.12.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.QUOTATION.exe.36095b8.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.QUOTATION.exe.35cbd98.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000005.00000000.411957545.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.638035787.0000000003B21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000000.411127213.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.630920607.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.633949267.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.641008391.0000000005C60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000000.413349942.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000000.412616907.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.418666280.00000000035CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: QUOTATION.exe PID: 636, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: QUOTATION.exe PID: 1052, type: MEMORYSTR
    Source: 5.0.QUOTATION.exe.400000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 5.0.QUOTATION.exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 5.2.QUOTATION.exe.5c60000.22.unpackAvira: Label: TR/NanoCore.fadte
    Source: 5.0.QUOTATION.exe.400000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 5.0.QUOTATION.exe.400000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 5.0.QUOTATION.exe.400000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 5.2.QUOTATION.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: QUOTATION.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
    Source: QUOTATION.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.641594280.0000000006B80000.00000004.08000000.00040000.00000000.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: QUOTATION.exe, 00000005.00000002.640118033.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.640012845.0000000003D4E000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.641679892.0000000006D00000.00000004.08000000.00040000.00000000.sdmp
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: QUOTATION.exe, 00000005.00000002.641622424.0000000006BA0000.00000004.08000000.00040000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: IClosa.pdb source: QUOTATION.exe
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.641582210.0000000006B70000.00000004.08000000.00040000.00000000.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: QUOTATION.exe, 00000005.00000002.640118033.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.641634528.0000000006BB0000.00000004.08000000.00040000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: QUOTATION.exe, 00000005.00000002.641608734.0000000006B90000.00000004.08000000.00040000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp

    Networking

    barindex
    Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.6:49774 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.6:49777 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.6:49780 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2810290 ETPRO TROJAN NanoCore RAT Keepalive Response 1 212.193.30.204:1187 -> 192.168.2.6:49780
    Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.6:49787 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.6:49788 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.6:49796 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.6:49797 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.6:49797 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.6:49800 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.6:49802 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.6:49805 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.6:49809 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.6:49831 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.6:49856 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.6:49862 -> 212.193.30.204:1187
    Source: TrafficSnort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 212.193.30.204:1187 -> 192.168.2.6:49862
    Source: Malware configuration extractorURLs:
    Source: Malware configuration extractorURLs: deranano2.ddns.net
    Source: unknownDNS query: name: deranano2.ddns.net
    Source: Joe Sandbox ViewASN Name: SPD-NETTR SPD-NETTR
    Source: Joe Sandbox ViewIP Address: 212.193.30.204 212.193.30.204
    Source: global trafficTCP traffic: 192.168.2.6:49774 -> 212.193.30.204:1187
    Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
    Source: QUOTATION.exe, 00000005.00000002.640118033.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.641634528.0000000006BB0000.00000004.08000000.00040000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://google.com
    Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
    Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
    Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
    Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
    Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
    Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
    Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
    Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
    Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
    Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
    Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
    Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
    Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
    Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
    Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
    Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
    Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
    Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
    Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
    Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
    Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
    Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
    Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
    Source: QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
    Source: unknownDNS traffic detected: queries for: deranano2.ddns.net
    Source: QUOTATION.exe, 00000001.00000002.415699378.000000000085B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
    Source: QUOTATION.exe, 00000005.00000002.638035787.0000000003B21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: RegisterRawInputDevices

    E-Banking Fraud

    barindex
    Source: Yara matchFile source: 5.2.QUOTATION.exe.5c64629.21.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.QUOTATION.exe.3b38a28.13.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.QUOTATION.exe.3b2458d.12.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.0.QUOTATION.exe.400000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.QUOTATION.exe.3b3d051.11.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.QUOTATION.exe.3b38a28.13.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.0.QUOTATION.exe.400000.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.QUOTATION.exe.5c60000.22.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.0.QUOTATION.exe.400000.10.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.QUOTATION.exe.5c60000.22.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.0.QUOTATION.exe.400000.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.QUOTATION.exe.36095b8.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.0.QUOTATION.exe.400000.12.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.QUOTATION.exe.36095b8.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.QUOTATION.exe.35cbd98.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000005.00000000.411957545.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.638035787.0000000003B21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000000.411127213.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.630920607.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.633949267.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.641008391.0000000005C60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000000.413349942.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000000.412616907.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.418666280.00000000035CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: QUOTATION.exe PID: 636, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: QUOTATION.exe PID: 1052, type: MEMORYSTR

    System Summary

    barindex
    Source: 5.2.QUOTATION.exe.6e90000.33.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.6e90000.33.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.6e90000.33.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.6e90000.33.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.6bb0000.30.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.6bb0000.30.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.3d4fbd7.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.3d4fbd7.15.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.5c64629.21.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.5c64629.21.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.6b80000.27.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.6b80000.27.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.5ed0000.24.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.5ed0000.24.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.3ade5cf.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.3ade5cf.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.3ad9930.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.3ad9930.9.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.6ee0000.37.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.6ee0000.37.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.3b38a28.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.3b38a28.13.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.3e1d82f.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.3e1d82f.17.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.3e1d82f.17.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.QUOTATION.exe.6b80000.27.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.6b80000.27.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.2b2384c.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.2b2384c.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.2b175b4.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.2b175b4.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.6bb0000.30.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.6bb0000.30.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.3b2458d.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.3b2458d.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.0.QUOTATION.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.0.QUOTATION.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.0.QUOTATION.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.QUOTATION.exe.6b40000.25.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.6b40000.25.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.3b3d051.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.3b3d051.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.3ae81d4.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.3ae81d4.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.3d58a06.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.3d58a06.14.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.2b2384c.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.2b2384c.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.6b90000.28.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.6b90000.28.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.3b38a28.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.3b38a28.13.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.0.QUOTATION.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.0.QUOTATION.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.0.QUOTATION.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.QUOTATION.exe.6b40000.25.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.6b40000.25.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.5c60000.22.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.5c60000.22.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.6ea0000.36.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.6ea0000.36.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.6eae8a4.34.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.6eae8a4.34.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.5ed0000.24.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.5ed0000.24.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.6d00000.31.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.6d00000.31.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.2b175b4.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.2b175b4.4.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.6d20000.32.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.6ea4c9f.35.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.6ea4c9f.35.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.6d20000.32.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.3e1d82f.17.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.3e1d82f.17.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.6ee0000.37.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.6ee0000.37.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.3e34a8e.18.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.3e34a8e.18.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.3e34a8e.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.3e34a8e.18.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.0.QUOTATION.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.0.QUOTATION.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.0.QUOTATION.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.QUOTATION.exe.5c60000.22.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.5c60000.22.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.6d00000.31.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.6d00000.31.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.0.QUOTATION.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.0.QUOTATION.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.0.QUOTATION.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.QUOTATION.exe.2b78f78.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.2b78f78.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.2b78f78.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.QUOTATION.exe.6b90000.28.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.6b90000.28.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.6b70000.26.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.6b70000.26.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.6ba0000.29.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.6ba0000.29.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.3d58a06.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.3d58a06.14.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.3d58a06.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.QUOTATION.exe.2b8a1ec.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.2b8a1ec.7.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.2b7e9b0.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.2b7e9b0.5.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.6ea0000.36.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.6ea0000.36.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.5bc0000.20.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.5bc0000.20.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 1.2.QUOTATION.exe.36095b8.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.QUOTATION.exe.36095b8.6.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 1.2.QUOTATION.exe.36095b8.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.QUOTATION.exe.6d20000.32.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.6d20000.32.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.3ad9930.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.3ad9930.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.2b7e9b0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.2b7e9b0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.2b7e9b0.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.QUOTATION.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.QUOTATION.exe.3d4fbd7.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.3d4fbd7.15.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.3d4fbd7.15.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.0.QUOTATION.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.0.QUOTATION.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.0.QUOTATION.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.QUOTATION.exe.3e2665e.19.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.3e2665e.19.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.3d66e36.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.3d66e36.16.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 1.2.QUOTATION.exe.36095b8.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.QUOTATION.exe.36095b8.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
    Source: 1.2.QUOTATION.exe.36095b8.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 1.2.QUOTATION.exe.36095b8.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.QUOTATION.exe.3e2665e.19.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.3e2665e.19.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.3d66e36.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.3d66e36.16.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.3d66e36.16.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.QUOTATION.exe.2b8a1ec.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.2b8a1ec.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.2b8a1ec.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.QUOTATION.exe.2518984.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
    Source: 5.2.QUOTATION.exe.2b081f8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.QUOTATION.exe.2b081f8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 5.2.QUOTATION.exe.2b081f8.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.QUOTATION.exe.252be1c.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
    Source: 1.2.QUOTATION.exe.251fbd0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
    Source: 1.2.QUOTATION.exe.35cbd98.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.QUOTATION.exe.35cbd98.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
    Source: 1.2.QUOTATION.exe.35cbd98.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 1.2.QUOTATION.exe.35cbd98.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000005.00000002.641608734.0000000006B90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000002.641608734.0000000006B90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000005.00000000.411957545.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000000.411957545.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000005.00000002.641634528.0000000006BB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000002.641634528.0000000006BB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000005.00000002.640118033.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000005.00000002.641805213.0000000006EA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000002.641805213.0000000006EA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000005.00000002.641707073.0000000006D20000.00000004.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000002.641707073.0000000006D20000.00000004.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000005.00000002.641622424.0000000006BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000002.641622424.0000000006BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000005.00000000.411127213.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000000.411127213.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000005.00000002.630920607.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000002.630920607.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000005.00000002.641872775.0000000006EE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000002.641872775.0000000006EE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000005.00000002.641519626.0000000006B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000002.641519626.0000000006B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000005.00000002.640012845.0000000003D4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000005.00000002.641679892.0000000006D00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000002.641679892.0000000006D00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000005.00000002.633949267.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000005.00000002.641594280.0000000006B80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000002.641594280.0000000006B80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000005.00000002.640953344.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000002.640953344.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000005.00000002.641582210.0000000006B70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000002.641582210.0000000006B70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000005.00000002.641008391.0000000005C60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000002.641008391.0000000005C60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000005.00000000.413349942.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000000.413349942.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000005.00000002.641782260.0000000006E90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000002.641782260.0000000006E90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000005.00000002.641142160.0000000005ED0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000002.641142160.0000000005ED0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000005.00000000.412616907.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000000.412616907.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000001.00000002.418666280.00000000035CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000002.418666280.00000000035CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: QUOTATION.exe PID: 636, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: QUOTATION.exe PID: 636, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: QUOTATION.exe PID: 1052, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: QUOTATION.exe PID: 1052, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: initial sampleStatic PE information: Filename: QUOTATION.exe
    Source: QUOTATION.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
    Source: 5.2.QUOTATION.exe.6e90000.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.6e90000.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.6e90000.33.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.6e90000.33.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.6e90000.33.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.6e90000.33.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.6bb0000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.6bb0000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.6bb0000.30.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.3d4fbd7.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.3d4fbd7.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.3d4fbd7.15.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.5c64629.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.5c64629.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.5c64629.21.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.6b80000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.6b80000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.6b80000.27.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.5ed0000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.5ed0000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.5ed0000.24.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.3ade5cf.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.3ade5cf.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.3ade5cf.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.3ad9930.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.3ad9930.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.3ad9930.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.6ee0000.37.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.6ee0000.37.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.6ee0000.37.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.3b38a28.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.3b38a28.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.3b38a28.13.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.3e1d82f.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.3e1d82f.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.3e1d82f.17.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.3e1d82f.17.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.QUOTATION.exe.6b80000.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.6b80000.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.6b80000.27.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.2b2384c.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.2b2384c.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.2b2384c.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.2b175b4.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.2b175b4.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.2b175b4.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.6bb0000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.6bb0000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.6bb0000.30.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.3b2458d.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.3b2458d.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.3b2458d.12.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.0.QUOTATION.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.0.QUOTATION.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.0.QUOTATION.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.0.QUOTATION.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.QUOTATION.exe.6b40000.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.6b40000.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.6b40000.25.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.3b3d051.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.3b3d051.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.3b3d051.11.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.3ae81d4.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.3ae81d4.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.3ae81d4.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.3d58a06.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.3d58a06.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.3d58a06.14.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.2b2384c.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.2b2384c.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.2b2384c.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.6b90000.28.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.6b90000.28.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.6b90000.28.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.3b38a28.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.3b38a28.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.3b38a28.13.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.0.QUOTATION.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.0.QUOTATION.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.0.QUOTATION.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.0.QUOTATION.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.QUOTATION.exe.6b40000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.6b40000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.6b40000.25.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.5c60000.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.5c60000.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.5c60000.22.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.6ea0000.36.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.6ea0000.36.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.6ea0000.36.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.6eae8a4.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.6eae8a4.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.6eae8a4.34.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.5ed0000.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.5ed0000.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.5ed0000.24.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.6d00000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.6d00000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.6d00000.31.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.2b175b4.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.2b175b4.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.2b175b4.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.6d20000.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.6d20000.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.6ea4c9f.35.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.6ea4c9f.35.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.6ea4c9f.35.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.6d20000.32.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.3e1d82f.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.3e1d82f.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.3e1d82f.17.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.6ee0000.37.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.6ee0000.37.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.6ee0000.37.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.3e34a8e.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.3e34a8e.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.3e34a8e.18.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.3e34a8e.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.3e34a8e.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.3e34a8e.18.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.0.QUOTATION.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.0.QUOTATION.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.0.QUOTATION.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.0.QUOTATION.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.QUOTATION.exe.5c60000.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.5c60000.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.5c60000.22.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.6d00000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.6d00000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.6d00000.31.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.0.QUOTATION.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.0.QUOTATION.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.0.QUOTATION.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.0.QUOTATION.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.QUOTATION.exe.2b78f78.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.2b78f78.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.2b78f78.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.QUOTATION.exe.6b90000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.6b90000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.6b90000.28.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.6b70000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.6b70000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.6b70000.26.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.6ba0000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.6ba0000.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.6ba0000.29.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.3d58a06.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.3d58a06.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.3d58a06.14.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.3d58a06.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.QUOTATION.exe.2b8a1ec.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.2b8a1ec.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.2b8a1ec.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.2b7e9b0.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.2b7e9b0.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.2b7e9b0.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.6ea0000.36.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.6ea0000.36.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.6ea0000.36.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.5bc0000.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.5bc0000.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.5bc0000.20.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 1.2.QUOTATION.exe.36095b8.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.QUOTATION.exe.36095b8.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 1.2.QUOTATION.exe.36095b8.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 1.2.QUOTATION.exe.36095b8.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.QUOTATION.exe.6d20000.32.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.6d20000.32.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.6d20000.32.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.3ad9930.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.3ad9930.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.3ad9930.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.2b7e9b0.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.2b7e9b0.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.2b7e9b0.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.QUOTATION.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.QUOTATION.exe.3d4fbd7.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.3d4fbd7.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.3d4fbd7.15.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.3d4fbd7.15.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.0.QUOTATION.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.0.QUOTATION.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.0.QUOTATION.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.0.QUOTATION.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.QUOTATION.exe.3e2665e.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.3e2665e.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.3e2665e.19.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.3d66e36.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.3d66e36.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.3d66e36.16.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 1.2.QUOTATION.exe.36095b8.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.QUOTATION.exe.36095b8.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
    Source: 1.2.QUOTATION.exe.36095b8.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 1.2.QUOTATION.exe.36095b8.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.QUOTATION.exe.3e2665e.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.3e2665e.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.3e2665e.19.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.3d66e36.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.3d66e36.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.3d66e36.16.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.3d66e36.16.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.QUOTATION.exe.2b8a1ec.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.2b8a1ec.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.2b8a1ec.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.QUOTATION.exe.2518984.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
    Source: 5.2.QUOTATION.exe.2b081f8.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.QUOTATION.exe.2b081f8.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.QUOTATION.exe.2b081f8.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 5.2.QUOTATION.exe.2b081f8.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.QUOTATION.exe.252be1c.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
    Source: 1.2.QUOTATION.exe.251fbd0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
    Source: 1.2.QUOTATION.exe.35cbd98.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.QUOTATION.exe.35cbd98.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
    Source: 1.2.QUOTATION.exe.35cbd98.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 1.2.QUOTATION.exe.35cbd98.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000005.00000002.641608734.0000000006B90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.641608734.0000000006B90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000005.00000002.641608734.0000000006B90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000005.00000000.411957545.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000000.411957545.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000005.00000002.641634528.0000000006BB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.641634528.0000000006BB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000005.00000002.641634528.0000000006BB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000005.00000002.640118033.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000005.00000002.641805213.0000000006EA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.641805213.0000000006EA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000005.00000002.641805213.0000000006EA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000005.00000002.641707073.0000000006D20000.00000004.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.641707073.0000000006D20000.00000004.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000005.00000002.641707073.0000000006D20000.00000004.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000005.00000002.641622424.0000000006BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.641622424.0000000006BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000005.00000002.641622424.0000000006BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000005.00000000.411127213.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000000.411127213.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000005.00000002.630920607.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.630920607.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000005.00000002.641872775.0000000006EE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.641872775.0000000006EE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000005.00000002.641872775.0000000006EE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000005.00000002.641519626.0000000006B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.641519626.0000000006B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000005.00000002.641519626.0000000006B40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000005.00000002.640012845.0000000003D4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000005.00000002.641679892.0000000006D00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.641679892.0000000006D00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000005.00000002.641679892.0000000006D00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000005.00000002.633949267.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000005.00000002.641594280.0000000006B80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.641594280.0000000006B80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000005.00000002.641594280.0000000006B80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000005.00000002.640953344.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.640953344.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000005.00000002.640953344.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000005.00000002.641582210.0000000006B70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.641582210.0000000006B70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000005.00000002.641582210.0000000006B70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000005.00000002.641008391.0000000005C60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.641008391.0000000005C60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000005.00000002.641008391.0000000005C60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000005.00000000.413349942.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000000.413349942.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000005.00000002.641782260.0000000006E90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.641782260.0000000006E90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000005.00000002.641782260.0000000006E90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000005.00000002.641142160.0000000005ED0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.641142160.0000000005ED0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000005.00000002.641142160.0000000005ED0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000005.00000000.412616907.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000000.412616907.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000001.00000002.418666280.00000000035CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000002.418666280.00000000035CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: QUOTATION.exe PID: 636, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: QUOTATION.exe PID: 636, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: QUOTATION.exe PID: 1052, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: QUOTATION.exe PID: 1052, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 1_2_00B1CC9C
    Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 1_2_00B1EED8
    Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 1_2_00B1EEC8
    Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 5_2_05ED02B0
    Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 5_2_0292E480
    Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 5_2_0292E471
    Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 5_2_0292BBD4
    Source: QUOTATION.exe, 00000001.00000000.365542409.00000000001AA000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFilenameIClosa.exe. vs QUOTATION.exe
    Source: QUOTATION.exe, 00000001.00000002.418666280.00000000035CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs QUOTATION.exe
    Source: QUOTATION.exe, 00000001.00000002.422737136.0000000006D40000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs QUOTATION.exe
    Source: QUOTATION.exe, 00000001.00000002.421779048.0000000006980000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameFort.dll" vs QUOTATION.exe
    Source: QUOTATION.exeBinary or memory string: OriginalFilename vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.640118033.0000000003DC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.640118033.0000000003DC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.640118033.0000000003DC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.640118033.0000000003DC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.640118033.0000000003DC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.640118033.0000000003DC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.640118033.0000000003DC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.640118033.0000000003DC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.641608734.0000000006B90000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.641634528.0000000006BB0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.641805213.0000000006EA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.641805213.0000000006EA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.641805213.0000000006EA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000000.411504531.00000000006FA000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFilenameIClosa.exe. vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.638035787.0000000003B21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.638035787.0000000003B21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.641707073.0000000006D20000.00000004.00000001.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.637915665.0000000003AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.637915665.0000000003AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.637915665.0000000003AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.641622424.0000000006BA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000003.425610931.0000000000BDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.640012845.0000000003D4E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.640012845.0000000003D4E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.640012845.0000000003D4E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.640012845.0000000003D4E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.640012845.0000000003D4E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.640012845.0000000003D4E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.640012845.0000000003D4E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.641872775.0000000006EE0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.641129187.0000000005EC0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.641519626.0000000006B40000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.633949267.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.633949267.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.633949267.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.641679892.0000000006D00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.641594280.0000000006B80000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.641582210.0000000006B70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.641008391.0000000005C60000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.641008391.0000000005C60000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.640953344.0000000005BC0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.641782260.0000000006E90000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.641142160.0000000005ED0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs QUOTATION.exe
    Source: QUOTATION.exeBinary or memory string: OriginalFilenameIClosa.exe. vs QUOTATION.exe
    Source: QUOTATION.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: QUOTATION.exeReversingLabs: Detection: 17%
    Source: C:\Users\user\Desktop\QUOTATION.exeFile read: C:\Users\user\Desktop\QUOTATION.exeJump to behavior
    Source: QUOTATION.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\QUOTATION.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: unknownProcess created: C:\Users\user\Desktop\QUOTATION.exe "C:\Users\user\Desktop\QUOTATION.exe"
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess created: C:\Users\user\Desktop\QUOTATION.exe C:\Users\user\Desktop\QUOTATION.exe
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess created: C:\Users\user\Desktop\QUOTATION.exe C:\Users\user\Desktop\QUOTATION.exe
    Source: C:\Users\user\Desktop\QUOTATION.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
    Source: C:\Users\user\Desktop\QUOTATION.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTATION.exe.logJump to behavior
    Source: classification engineClassification label: mal100.troj.evad.winEXE@3/5@14/2
    Source: 5.0.QUOTATION.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
    Source: 5.0.QUOTATION.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
    Source: 5.0.QUOTATION.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
    Source: 5.0.QUOTATION.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
    Source: 5.0.QUOTATION.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
    Source: 5.0.QUOTATION.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
    Source: 5.0.QUOTATION.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
    Source: 5.0.QUOTATION.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
    Source: C:\Users\user\Desktop\QUOTATION.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\Desktop\QUOTATION.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\Desktop\QUOTATION.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{fe56abb4-cb76-44f1-89b4-7bb11730ab9d}
    Source: 5.0.QUOTATION.exe.400000.6.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
    Source: 5.0.QUOTATION.exe.400000.6.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
    Source: 5.0.QUOTATION.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
    Source: 5.0.QUOTATION.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
    Source: 5.0.QUOTATION.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
    Source: 5.0.QUOTATION.exe.400000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
    Source: 5.0.QUOTATION.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
    Source: 5.0.QUOTATION.exe.400000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
    Source: 5.0.QUOTATION.exe.400000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
    Source: C:\Users\user\Desktop\QUOTATION.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
    Source: QUOTATION.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: QUOTATION.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: QUOTATION.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.641594280.0000000006B80000.00000004.08000000.00040000.00000000.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: QUOTATION.exe, 00000005.00000002.640118033.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.640012845.0000000003D4E000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.641679892.0000000006D00000.00000004.08000000.00040000.00000000.sdmp
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: QUOTATION.exe, 00000005.00000002.641622424.0000000006BA0000.00000004.08000000.00040000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: IClosa.pdb source: QUOTATION.exe
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.641582210.0000000006B70000.00000004.08000000.00040000.00000000.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: QUOTATION.exe, 00000005.00000002.640118033.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.641634528.0000000006BB0000.00000004.08000000.00040000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: QUOTATION.exe, 00000005.00000002.641608734.0000000006B90000.00000004.08000000.00040000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp

    Data Obfuscation

    barindex
    Source: QUOTATION.exe, DZ/hD.cs.Net Code: FOC System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 1.2.QUOTATION.exe.100000.0.unpack, DZ/hD.cs.Net Code: FOC System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 1.0.QUOTATION.exe.100000.0.unpack, DZ/hD.cs.Net Code: FOC System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 5.0.QUOTATION.exe.400000.6.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 5.0.QUOTATION.exe.400000.6.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 5.2.QUOTATION.exe.650000.1.unpack, DZ/hD.cs.Net Code: FOC System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 5.0.QUOTATION.exe.650000.1.unpack, DZ/hD.cs.Net Code: FOC System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 5.0.QUOTATION.exe.400000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 5.0.QUOTATION.exe.400000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 5.0.QUOTATION.exe.650000.0.unpack, DZ/hD.cs.Net Code: FOC System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 5.0.QUOTATION.exe.650000.2.unpack, DZ/hD.cs.Net Code: FOC System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 5.0.QUOTATION.exe.400000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 5.0.QUOTATION.exe.400000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 5.0.QUOTATION.exe.650000.9.unpack, DZ/hD.cs.Net Code: FOC System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 5.0.QUOTATION.exe.650000.7.unpack, DZ/hD.cs.Net Code: FOC System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 5.0.QUOTATION.exe.400000.8.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 5.0.QUOTATION.exe.400000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 5.0.QUOTATION.exe.650000.11.unpack, DZ/hD.cs.Net Code: FOC System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 5.0.QUOTATION.exe.650000.5.unpack, DZ/hD.cs.Net Code: FOC System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 5.0.QUOTATION.exe.650000.13.unpack, DZ/hD.cs.Net Code: FOC System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 1_2_00B1C0C0 pushad ; iretd
    Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 1_2_00B1C128 pushfd ; iretd
    Source: initial sampleStatic PE information: section name: .text entropy: 7.85363185265
    Source: 5.0.QUOTATION.exe.400000.6.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
    Source: 5.0.QUOTATION.exe.400000.6.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
    Source: 5.0.QUOTATION.exe.400000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
    Source: 5.0.QUOTATION.exe.400000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
    Source: 5.0.QUOTATION.exe.400000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
    Source: 5.0.QUOTATION.exe.400000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
    Source: 5.0.QUOTATION.exe.400000.8.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
    Source: 5.0.QUOTATION.exe.400000.8.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

    Hooking and other Techniques for Hiding and Protection

    barindex
    Source: C:\Users\user\Desktop\QUOTATION.exeFile opened: C:\Users\user\Desktop\QUOTATION.exe:Zone.Identifier read attributes | delete
    Source: C:\Users\user\Desktop\QUOTATION.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion

    barindex
    Source: Yara matchFile source: 1.2.QUOTATION.exe.2518984.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.QUOTATION.exe.252be1c.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.QUOTATION.exe.251fbd0.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000001.00000002.416586877.00000000024C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: QUOTATION.exe PID: 636, type: MEMORYSTR
    Source: QUOTATION.exe, 00000001.00000002.416586877.00000000024C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
    Source: QUOTATION.exe, 00000001.00000002.416586877.00000000024C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
    Source: C:\Users\user\Desktop\QUOTATION.exe TID: 2324Thread sleep time: -45733s >= -30000s
    Source: C:\Users\user\Desktop\QUOTATION.exe TID: 5636Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\Desktop\QUOTATION.exe TID: 6076Thread sleep time: -13835058055282155s >= -30000s
    Source: C:\Users\user\Desktop\QUOTATION.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\QUOTATION.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\QUOTATION.exeWindow / User API: threadDelayed 5456
    Source: C:\Users\user\Desktop\QUOTATION.exeWindow / User API: threadDelayed 3752
    Source: C:\Users\user\Desktop\QUOTATION.exeWindow / User API: foregroundWindowGot 678
    Source: C:\Users\user\Desktop\QUOTATION.exeWindow / User API: foregroundWindowGot 762
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess information queried: ProcessInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeThread delayed: delay time: 45733
    Source: C:\Users\user\Desktop\QUOTATION.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\QUOTATION.exeThread delayed: delay time: 922337203685477
    Source: QUOTATION.exe, 00000001.00000002.416586877.00000000024C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
    Source: QUOTATION.exe, 00000001.00000002.416586877.00000000024C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
    Source: QUOTATION.exeBinary or memory string: a]hVMci
    Source: QUOTATION.exe, 00000001.00000002.416586877.00000000024C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
    Source: QUOTATION.exe, 00000005.00000003.426319113.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000003.425628506.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.631865092.0000000000BEE000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000003.426931998.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000003.428720756.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000003.428601627.0000000000BF7000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000003.429385256.0000000000BF3000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000003.500464778.0000000000BEE000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000003.426588395.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000003.429488260.0000000000BF5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: QUOTATION.exe, 00000001.00000002.416586877.00000000024C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess token adjusted: Debug
    Source: C:\Users\user\Desktop\QUOTATION.exeMemory allocated: page read and write | page guard
    Source: C:\Users\user\Desktop\QUOTATION.exeProcess created: C:\Users\user\Desktop\QUOTATION.exe C:\Users\user\Desktop\QUOTATION.exe
    Source: QUOTATION.exe, 00000005.00000002.635237708.0000000002C36000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.637467627.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.635280236.0000000002C3C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
    Source: QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager#xp
    Source: QUOTATION.exe, 00000005.00000002.641766867.0000000006E8C000.00000004.00000010.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.641664223.0000000006CFA000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Managerram Manager
    Source: QUOTATION.exe, 00000005.00000002.642071541.000000000770C000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Managerl
    Source: QUOTATION.exe, 00000005.00000002.641052824.0000000005DBC000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Managerram Manager 8
    Source: QUOTATION.exe, 00000005.00000002.637521725.0000000002FB6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager4
    Source: QUOTATION.exe, 00000005.00000002.642047911.00000000075CC000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Manager
    Source: QUOTATION.exe, 00000005.00000002.642169555.0000000007B0B000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Managerram Manager h
    Source: QUOTATION.exe, 00000005.00000002.635280236.0000000002C3C000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.637809442.00000000030B4000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.637521725.0000000002FB6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managerxp
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Users\user\Desktop\QUOTATION.exe VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Users\user\Desktop\QUOTATION.exe VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
    Source: C:\Users\user\Desktop\QUOTATION.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
    Source: C:\Users\user\Desktop\QUOTATION.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\QUOTATION.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\QUOTATION.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\QUOTATION.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\QUOTATION.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\QUOTATION.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\QUOTATION.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\QUOTATION.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\QUOTATION.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\QUOTATION.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\QUOTATION.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\QUOTATION.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\QUOTATION.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\QUOTATION.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\QUOTATION.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\QUOTATION.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\QUOTATION.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\QUOTATION.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\QUOTATION.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\QUOTATION.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\QUOTATION.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\QUOTATION.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\QUOTATION.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\QUOTATION.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\QUOTATION.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\QUOTATION.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\QUOTATION.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\QUOTATION.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\QUOTATION.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\QUOTATION.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\QUOTATION.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\QUOTATION.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\QUOTATION.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\QUOTATION.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\QUOTATION.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\QUOTATION.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\QUOTATION.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\QUOTATION.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\QUOTATION.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

    Stealing of Sensitive Information

    barindex
    Source: Yara matchFile source: 5.2.QUOTATION.exe.5c64629.21.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.QUOTATION.exe.3b38a28.13.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.QUOTATION.exe.3b2458d.12.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.0.QUOTATION.exe.400000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.QUOTATION.exe.3b3d051.11.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.QUOTATION.exe.3b38a28.13.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.0.QUOTATION.exe.400000.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.QUOTATION.exe.5c60000.22.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.0.QUOTATION.exe.400000.10.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.QUOTATION.exe.5c60000.22.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.0.QUOTATION.exe.400000.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.QUOTATION.exe.36095b8.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.0.QUOTATION.exe.400000.12.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.QUOTATION.exe.36095b8.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.QUOTATION.exe.35cbd98.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000005.00000000.411957545.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.638035787.0000000003B21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000000.411127213.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.630920607.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.633949267.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.641008391.0000000005C60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000000.413349942.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000000.412616907.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.418666280.00000000035CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: QUOTATION.exe PID: 636, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: QUOTATION.exe PID: 1052, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Source: QUOTATION.exe, 00000001.00000002.418666280.00000000035CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: QUOTATION.exeString found in binary or memory: NanoCore.ClientPluginHost
    Source: QUOTATION.exe, 00000005.00000002.640118033.0000000003DC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: QUOTATION.exe, 00000005.00000002.640118033.0000000003DC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
    Source: QUOTATION.exe, 00000005.00000000.411957545.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: QUOTATION.exe, 00000005.00000002.641608734.0000000006B90000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: QUOTATION.exe, 00000005.00000002.641608734.0000000006B90000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
    Source: QUOTATION.exe, 00000005.00000002.641634528.0000000006BB0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: QUOTATION.exe, 00000005.00000002.641805213.0000000006EA0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: QUOTATION.exe, 00000005.00000002.638035787.0000000003B21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: QUOTATION.exe, 00000005.00000002.641707073.0000000006D20000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: QUOTATION.exe, 00000005.00000002.637915665.0000000003AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: QUOTATION.exe, 00000005.00000002.641622424.0000000006BA0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: QUOTATION.exe, 00000005.00000002.641622424.0000000006BA0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
    Source: QUOTATION.exe, 00000005.00000003.425610931.0000000000BDF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: QUOTATION.exe, 00000005.00000002.640012845.0000000003D4E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: QUOTATION.exe, 00000005.00000002.640012845.0000000003D4E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
    Source: QUOTATION.exe, 00000005.00000002.641872775.0000000006EE0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
    Source: QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
    Source: QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
    Source: QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
    Source: QUOTATION.exe, 00000005.00000002.641519626.0000000006B40000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: QUOTATION.exe, 00000005.00000002.633949267.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: QUOTATION.exe, 00000005.00000002.633949267.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: QUOTATION.exe, 00000005.00000002.641679892.0000000006D00000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: QUOTATION.exe, 00000005.00000002.641679892.0000000006D00000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
    Source: QUOTATION.exe, 00000005.00000002.641594280.0000000006B80000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: QUOTATION.exe, 00000005.00000002.641582210.0000000006B70000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: QUOTATION.exe, 00000005.00000002.641582210.0000000006B70000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
    Source: QUOTATION.exe, 00000005.00000002.641008391.0000000005C60000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: QUOTATION.exe, 00000005.00000002.640953344.0000000005BC0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: QUOTATION.exe, 00000005.00000002.640953344.0000000005BC0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: QUOTATION.exe, 00000005.00000002.641782260.0000000006E90000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: QUOTATION.exe, 00000005.00000002.641142160.0000000005ED0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: Yara matchFile source: 5.2.QUOTATION.exe.5c64629.21.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.QUOTATION.exe.3b38a28.13.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.QUOTATION.exe.3b2458d.12.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.0.QUOTATION.exe.400000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.QUOTATION.exe.3b3d051.11.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.QUOTATION.exe.3b38a28.13.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.0.QUOTATION.exe.400000.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.QUOTATION.exe.5c60000.22.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.0.QUOTATION.exe.400000.10.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.QUOTATION.exe.5c60000.22.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.0.QUOTATION.exe.400000.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.QUOTATION.exe.36095b8.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.0.QUOTATION.exe.400000.12.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.QUOTATION.exe.36095b8.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.QUOTATION.exe.35cbd98.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000005.00000000.411957545.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.638035787.0000000003B21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000000.411127213.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.630920607.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.633949267.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.641008391.0000000005C60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000000.413349942.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000000.412616907.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.418666280.00000000035CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: QUOTATION.exe PID: 636, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: QUOTATION.exe PID: 1052, type: MEMORYSTR
    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts1
    Windows Management Instrumentation
    Path Interception12
    Process Injection
    1
    Masquerading
    21
    Input Capture
    1
    Query Registry
    Remote Services21
    Input Capture
    Exfiltration Over Other Network Medium1
    Encrypted Channel
    Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
    Disable or Modify Tools
    LSASS Memory111
    Security Software Discovery
    Remote Desktop Protocol11
    Archive Collected Data
    Exfiltration Over Bluetooth1
    Non-Standard Port
    Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
    Virtualization/Sandbox Evasion
    Security Account Manager2
    Process Discovery
    SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
    Remote Access Software
    Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)12
    Process Injection
    NTDS21
    Virtualization/Sandbox Evasion
    Distributed Component Object ModelInput CaptureScheduled Transfer1
    Non-Application Layer Protocol
    SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
    Deobfuscate/Decode Files or Information
    LSA Secrets1
    Application Window Discovery
    SSHKeyloggingData Transfer Size Limits21
    Application Layer Protocol
    Manipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.common1
    Hidden Files and Directories
    Cached Domain Credentials12
    System Information Discovery
    VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup Items2
    Obfuscated Files or Information
    DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job13
    Software Packing
    Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand
    SourceDetectionScannerLabelLink
    QUOTATION.exe17%ReversingLabsByteCode-MSIL.Backdoor.NanoBot
    No Antivirus matches
    SourceDetectionScannerLabelLinkDownload
    5.0.QUOTATION.exe.400000.6.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    5.0.QUOTATION.exe.400000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    5.2.QUOTATION.exe.5c60000.22.unpack100%AviraTR/NanoCore.fadteDownload File
    5.0.QUOTATION.exe.400000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    5.0.QUOTATION.exe.400000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    5.0.QUOTATION.exe.400000.12.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    5.2.QUOTATION.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    No Antivirus matches
    SourceDetectionScannerLabelLink
    0%Avira URL Cloudsafe
    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
    http://www.tiro.com0%URL Reputationsafe
    http://www.goodfont.co.kr0%URL Reputationsafe
    http://www.carterandcone.coml0%URL Reputationsafe
    http://www.sajatypeworks.com0%URL Reputationsafe
    http://www.typography.netD0%URL Reputationsafe
    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
    http://fontfabrik.com0%URL Reputationsafe
    http://www.founder.com.cn/cn0%URL Reputationsafe
    deranano2.ddns.net100%Avira URL Cloudmalware
    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
    http://www.sandoll.co.kr0%URL Reputationsafe
    http://www.urwpp.deDPlease0%URL Reputationsafe
    http://www.zhongyicts.com.cn0%URL Reputationsafe
    http://www.sakkal.com0%URL Reputationsafe
    NameIPActiveMaliciousAntivirus DetectionReputation
    deranano2.ddns.net
    212.193.30.204
    truetrue
      unknown
      NameMaliciousAntivirus DetectionReputation
      true
      • Avira URL Cloud: safe
      low
      deranano2.ddns.nettrue
      • Avira URL Cloud: malware
      unknown
      NameSourceMaliciousAntivirus DetectionReputation
      http://www.apache.org/licenses/LICENSE-2.0QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpfalse
        high
        http://www.fontbureau.comQUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpfalse
          high
          http://www.fontbureau.com/designersGQUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpfalse
            high
            http://www.fontbureau.com/designers/?QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              http://www.founder.com.cn/cn/bTheQUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              unknown
              http://www.fontbureau.com/designers?QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                http://www.tiro.comQUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                unknown
                http://www.fontbureau.com/designersQUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  http://www.goodfont.co.krQUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://google.comQUOTATION.exe, 00000005.00000002.640118033.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.641634528.0000000006BB0000.00000004.08000000.00040000.00000000.sdmp, QUOTATION.exe, 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    http://www.carterandcone.comlQUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.sajatypeworks.comQUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.typography.netDQUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.fontbureau.com/designers/cabarga.htmlNQUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      http://www.founder.com.cn/cn/cTheQUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.galapagosdesign.com/staff/dennis.htmQUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://fontfabrik.comQUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.founder.com.cn/cnQUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.fontbureau.com/designers/frere-jones.htmlQUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        http://www.jiyu-kobo.co.jp/QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.galapagosdesign.com/DPleaseQUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.fontbureau.com/designers8QUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          http://www.fonts.comQUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://www.sandoll.co.krQUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.urwpp.deDPleaseQUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.zhongyicts.com.cnQUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.sakkal.comQUOTATION.exe, 00000001.00000002.421125700.0000000006522000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs
                            IPDomainCountryFlagASNASN NameMalicious
                            212.193.30.204
                            deranano2.ddns.netRussian Federation
                            57844SPD-NETTRtrue
                            IP
                            192.168.2.1
                            Joe Sandbox Version:34.0.0 Boulder Opal
                            Analysis ID:624514
                            Start date and time: 11/05/202218:33:142022-05-11 18:33:14 +02:00
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 10m 38s
                            Hypervisor based Inspection enabled:false
                            Report type:light
                            Sample file name:QUOTATION.exe
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:21
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@3/5@14/2
                            EGA Information:
                            • Successful, ratio: 100%
                            HDC Information:
                            • Successful, ratio: 1.9% (good quality ratio 1.7%)
                            • Quality average: 68.5%
                            • Quality standard deviation: 29.8%
                            HCA Information:
                            • Successful, ratio: 99%
                            • Number of executed functions: 0
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Adjust boot time
                            • Enable AMSI
                            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                            • TCP Packets have been reduced to 100
                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                            • Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • VT rate limit hit for: QUOTATION.exe
                            TimeTypeDescription
                            18:34:41API Interceptor807x Sleep call for process: QUOTATION.exe modified
                            No context
                            No context
                            No context
                            No context
                            No context
                            Process:C:\Users\user\Desktop\QUOTATION.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1750
                            Entropy (8bit):5.3375092442007315
                            Encrypted:false
                            SSDEEP:48:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzvFHYHKlEHUzvAHj:Pq5qXEwCYqhQnoPtIxHeqzN4qm0z4D
                            MD5:92FEE17DD9A6925BA2D1E5EF2CD6E5F2
                            SHA1:4614AE0DD188A0FE1983C5A8D82A69AF5BD13039
                            SHA-256:67351D6FA9F9E11FD21E72581AFDC8E63A284A6080D99A6390641FC11C667235
                            SHA-512:C599C633D288B845A7FAA31FC0FA86EAB8585CC2C515D68CA0DFC6AB16B27515A5D729EF535109B2CDE29FF3CF4CF725F4F920858501A2421FC7D76C804F2AA7
                            Malicious:true
                            Reputation:moderate, very likely benign file
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                            Process:C:\Users\user\Desktop\QUOTATION.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):232
                            Entropy (8bit):7.024371743172393
                            Encrypted:false
                            SSDEEP:6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
                            MD5:32D0AAE13696FF7F8AF33B2D22451028
                            SHA1:EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
                            SHA-256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
                            SHA-512:1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
                            Malicious:false
                            Reputation:moderate, very likely benign file
                            Preview:Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.
                            Process:C:\Users\user\Desktop\QUOTATION.exe
                            File Type:Non-ISO extended-ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):8
                            Entropy (8bit):3.0
                            Encrypted:false
                            SSDEEP:3:zWl:0
                            MD5:91522D41025242D19D64C4FA2D4C2EFD
                            SHA1:ED596E1834BC20F99EABC9D702E15250E588EFFE
                            SHA-256:8E9E0CBF71438BABDEE035125FA4B28E1FFCC9DB35550FBFE2296724F54505B5
                            SHA-512:D390C4FB3BD6C310B5864E50B8B39295D918120A1077E3508E00AB5D52847ECC8ED126BEFA69E41B7BF1F3D9B4CE4B28B0CF585C830A67925EBAE55D60850DA1
                            Malicious:true
                            Reputation:low
                            Preview:#...3.H
                            Process:C:\Users\user\Desktop\QUOTATION.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):40
                            Entropy (8bit):5.153055907333276
                            Encrypted:false
                            SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                            MD5:4E5E92E2369688041CC82EF9650EDED2
                            SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                            SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                            SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                            Malicious:false
                            Reputation:moderate, very likely benign file
                            Preview:9iH...}Z.4..f.~a........~.~.......3.U.
                            Process:C:\Users\user\Desktop\QUOTATION.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):327432
                            Entropy (8bit):7.99938831605763
                            Encrypted:true
                            SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                            MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                            SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                            SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                            SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                            Malicious:false
                            Reputation:moderate, very likely benign file
                            Preview:pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):7.85137144717535
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                            • Win32 Executable (generic) a (10002005/4) 49.75%
                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                            • Windows Screen Saver (13104/52) 0.07%
                            • Generic Win/DOS Executable (2004/3) 0.01%
                            File name:QUOTATION.exe
                            File size:707584
                            MD5:dbffb4682e330d635295ccdd92fe99c4
                            SHA1:ba03bbac64d96bfbd3067803a8b08466b8fb0d3a
                            SHA256:011c5f305852ea8ef82a26bae0d7b6f59fd70f431b91edb25df06863e0001bc0
                            SHA512:01fe41d7c24f92d05308b9316ba49adf2e7d2cc410a63e4da7e95dde82a6669f5e39c45ba0306f0c4a9f45174aeabd130fc215e877cc736220b05b9d9594802f
                            SSDEEP:12288:QF/3DpQp9V5XXkkXIqvCQOeZ/xWzWsCXQhpKn+nj4/sHtNdC8Sgp:QF/3DG/YkvvWeZ/xWzWsQQhsnCOcdv
                            TLSH:87E4011CBAF7DA22D16E2B3990F280945771BE89A033D31E35DC134E9F16B9349467A3
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....f{b..............0..p...Z........... ........@.. ....................... ............@................................
                            Icon Hash:f0f2f25944bcce78
                            Entrypoint:0x4a8f0e
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                            Time Stamp:0x627B66A8 [Wed May 11 07:32:56 2022 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:v4.0.30319
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                            Instruction
                            jmp dword ptr [00402000h]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0xa8ec00x4b.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xaa0000x57ac.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xb00000xc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0xa8e810x1c.text
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000xa6f140xa7000False0.886948271426data7.85363185265IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                            .rsrc0xaa0000x57ac0x5800False0.964799360795data7.88885953367IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0xb00000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                            NameRVASizeTypeLanguageCountry
                            RT_ICON0xaa1300x5164PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                            RT_GROUP_ICON0xaf2940x14data
                            RT_VERSION0xaf2a80x318data
                            RT_MANIFEST0xaf5c00x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                            DLLImport
                            mscoree.dll_CorExeMain
                            DescriptionData
                            Translation0x0000 0x04b0
                            LegalCopyrightKids Mart 2012
                            Assembly Version1.0.0.0
                            InternalNameIClosa.exe
                            FileVersion1.0.0.0
                            CompanyNameKids Mart
                            LegalTrademarks
                            Comments
                            ProductNameVoroni
                            ProductVersion1.0.0.0
                            FileDescriptionVoroni
                            OriginalFilenameIClosa.exe
                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                            192.168.2.6212.193.30.2044977411872816766 05/11/22-18:34:53.312719TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497741187192.168.2.6212.193.30.204
                            192.168.2.6212.193.30.2044985611872816766 05/11/22-18:36:21.786696TCP2816766ETPRO TROJAN NanoCore RAT CnC 7498561187192.168.2.6212.193.30.204
                            192.168.2.6212.193.30.2044983111872816766 05/11/22-18:36:15.708740TCP2816766ETPRO TROJAN NanoCore RAT CnC 7498311187192.168.2.6212.193.30.204
                            212.193.30.204192.168.2.61187497802810290 05/11/22-18:35:07.758520TCP2810290ETPRO TROJAN NanoCore RAT Keepalive Response 1118749780212.193.30.204192.168.2.6
                            192.168.2.6212.193.30.2044980511872816766 05/11/22-18:36:01.158778TCP2816766ETPRO TROJAN NanoCore RAT CnC 7498051187192.168.2.6212.193.30.204
                            192.168.2.6212.193.30.2044980011872816766 05/11/22-18:35:40.802538TCP2816766ETPRO TROJAN NanoCore RAT CnC 7498001187192.168.2.6212.193.30.204
                            192.168.2.6212.193.30.2044977711872816766 05/11/22-18:35:01.955240TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497771187192.168.2.6212.193.30.204
                            192.168.2.6212.193.30.2044978711872816766 05/11/22-18:35:14.531508TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497871187192.168.2.6212.193.30.204
                            192.168.2.6212.193.30.2044979711872816766 05/11/22-18:35:34.087505TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497971187192.168.2.6212.193.30.204
                            192.168.2.6212.193.30.2044986211872816766 05/11/22-18:36:27.889829TCP2816766ETPRO TROJAN NanoCore RAT CnC 7498621187192.168.2.6212.193.30.204
                            192.168.2.6212.193.30.2044980911872816766 05/11/22-18:36:07.741009TCP2816766ETPRO TROJAN NanoCore RAT CnC 7498091187192.168.2.6212.193.30.204
                            192.168.2.6212.193.30.2044979711872816718 05/11/22-18:35:34.087505TCP2816718ETPRO TROJAN NanoCore RAT Keep-Alive Beacon497971187192.168.2.6212.193.30.204
                            192.168.2.6212.193.30.2044980211872816766 05/11/22-18:35:47.819257TCP2816766ETPRO TROJAN NanoCore RAT CnC 7498021187192.168.2.6212.193.30.204
                            212.193.30.204192.168.2.61187498622841753 05/11/22-18:36:36.975115TCP2841753ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)118749862212.193.30.204192.168.2.6
                            192.168.2.6212.193.30.2044978011872816766 05/11/22-18:35:07.459686TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497801187192.168.2.6212.193.30.204
                            192.168.2.6212.193.30.2044979611872816766 05/11/22-18:35:26.904734TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497961187192.168.2.6212.193.30.204
                            192.168.2.6212.193.30.2044978811872816766 05/11/22-18:35:20.778412TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497881187192.168.2.6212.193.30.204
                            TimestampSource PortDest PortSource IPDest IP
                            May 11, 2022 18:34:52.318828106 CEST497741187192.168.2.6212.193.30.204
                            May 11, 2022 18:34:52.347148895 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.350502968 CEST497741187192.168.2.6212.193.30.204
                            May 11, 2022 18:34:52.406663895 CEST497741187192.168.2.6212.193.30.204
                            May 11, 2022 18:34:52.470082998 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.483499050 CEST497741187192.168.2.6212.193.30.204
                            May 11, 2022 18:34:52.511833906 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.665107012 CEST497741187192.168.2.6212.193.30.204
                            May 11, 2022 18:34:52.716006041 CEST497741187192.168.2.6212.193.30.204
                            May 11, 2022 18:34:52.808214903 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.858473063 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.858520031 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.858551025 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.858582020 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.858633995 CEST497741187192.168.2.6212.193.30.204
                            May 11, 2022 18:34:52.858671904 CEST497741187192.168.2.6212.193.30.204
                            May 11, 2022 18:34:52.885740995 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.885777950 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.885803938 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.885823965 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.885843992 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.885871887 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.885896921 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.885922909 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.885981083 CEST497741187192.168.2.6212.193.30.204
                            May 11, 2022 18:34:52.886040926 CEST497741187192.168.2.6212.193.30.204
                            May 11, 2022 18:34:52.886049032 CEST497741187192.168.2.6212.193.30.204
                            May 11, 2022 18:34:52.913367987 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.913407087 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.913433075 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.913459063 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.913484097 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.913510084 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.913536072 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.913561106 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.913587093 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.913588047 CEST497741187192.168.2.6212.193.30.204
                            May 11, 2022 18:34:52.913613081 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.913640976 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.913665056 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.913690090 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.913707018 CEST497741187192.168.2.6212.193.30.204
                            May 11, 2022 18:34:52.913714886 CEST497741187192.168.2.6212.193.30.204
                            May 11, 2022 18:34:52.913716078 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.913744926 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.913770914 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.913856983 CEST497741187192.168.2.6212.193.30.204
                            May 11, 2022 18:34:52.913867950 CEST497741187192.168.2.6212.193.30.204
                            May 11, 2022 18:34:52.941195011 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.941226006 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.941251993 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.941277981 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.941304922 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.941334963 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.941359997 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.941382885 CEST497741187192.168.2.6212.193.30.204
                            May 11, 2022 18:34:52.941386938 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.941397905 CEST497741187192.168.2.6212.193.30.204
                            May 11, 2022 18:34:52.941400051 CEST497741187192.168.2.6212.193.30.204
                            May 11, 2022 18:34:52.941417933 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.941445112 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.941461086 CEST497741187192.168.2.6212.193.30.204
                            May 11, 2022 18:34:52.941472054 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.941499949 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.941528082 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.941555977 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.941580057 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.941605091 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.941611052 CEST497741187192.168.2.6212.193.30.204
                            May 11, 2022 18:34:52.941616058 CEST497741187192.168.2.6212.193.30.204
                            May 11, 2022 18:34:52.941617966 CEST497741187192.168.2.6212.193.30.204
                            May 11, 2022 18:34:52.941632986 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.941658974 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.941682100 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.941735029 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.941761017 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.941777945 CEST497741187192.168.2.6212.193.30.204
                            May 11, 2022 18:34:52.941781044 CEST497741187192.168.2.6212.193.30.204
                            May 11, 2022 18:34:52.941782951 CEST497741187192.168.2.6212.193.30.204
                            May 11, 2022 18:34:52.941787958 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.941827059 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.941852093 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.941875935 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.941900969 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.941919088 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.941942930 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.941952944 CEST497741187192.168.2.6212.193.30.204
                            May 11, 2022 18:34:52.941956997 CEST497741187192.168.2.6212.193.30.204
                            May 11, 2022 18:34:52.941958904 CEST497741187192.168.2.6212.193.30.204
                            May 11, 2022 18:34:52.941967964 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.941992044 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.942243099 CEST497741187192.168.2.6212.193.30.204
                            May 11, 2022 18:34:52.942270041 CEST497741187192.168.2.6212.193.30.204
                            May 11, 2022 18:34:52.972409010 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.972522020 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.972564936 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.972605944 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.972644091 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.972682953 CEST118749774212.193.30.204192.168.2.6
                            May 11, 2022 18:34:52.972723007 CEST118749774212.193.30.204192.168.2.6
                            TimestampSource PortDest PortSource IPDest IP
                            May 11, 2022 18:34:52.287666082 CEST5174853192.168.2.68.8.8.8
                            May 11, 2022 18:34:52.306927919 CEST53517488.8.8.8192.168.2.6
                            May 11, 2022 18:34:59.093965054 CEST5095853192.168.2.68.8.8.8
                            May 11, 2022 18:34:59.111686945 CEST53509588.8.8.8192.168.2.6
                            May 11, 2022 18:35:06.523456097 CEST5655053192.168.2.68.8.8.8
                            May 11, 2022 18:35:06.545044899 CEST53565508.8.8.8192.168.2.6
                            May 11, 2022 18:35:12.681927919 CEST5703753192.168.2.68.8.8.8
                            May 11, 2022 18:35:12.701590061 CEST53570378.8.8.8192.168.2.6
                            May 11, 2022 18:35:19.731717110 CEST6060953192.168.2.68.8.8.8
                            May 11, 2022 18:35:19.753113031 CEST53606098.8.8.8192.168.2.6
                            May 11, 2022 18:35:25.857225895 CEST5208953192.168.2.68.8.8.8
                            May 11, 2022 18:35:25.877197981 CEST53520898.8.8.8192.168.2.6
                            May 11, 2022 18:35:32.226279974 CEST5448953192.168.2.68.8.8.8
                            May 11, 2022 18:35:32.245639086 CEST53544898.8.8.8192.168.2.6
                            May 11, 2022 18:35:39.179836988 CEST5382953192.168.2.68.8.8.8
                            May 11, 2022 18:35:39.201423883 CEST53538298.8.8.8192.168.2.6
                            May 11, 2022 18:35:46.664163113 CEST5868953192.168.2.68.8.8.8
                            May 11, 2022 18:35:46.681548119 CEST53586898.8.8.8192.168.2.6
                            May 11, 2022 18:35:58.912822962 CEST4952053192.168.2.68.8.8.8
                            May 11, 2022 18:35:58.932028055 CEST53495208.8.8.8192.168.2.6
                            May 11, 2022 18:36:06.740097046 CEST5296553192.168.2.68.8.8.8
                            May 11, 2022 18:36:06.761792898 CEST53529658.8.8.8192.168.2.6
                            May 11, 2022 18:36:12.778187037 CEST6023853192.168.2.68.8.8.8
                            May 11, 2022 18:36:12.797620058 CEST53602388.8.8.8192.168.2.6
                            May 11, 2022 18:36:20.803953886 CEST5222553192.168.2.68.8.8.8
                            May 11, 2022 18:36:20.825550079 CEST53522258.8.8.8192.168.2.6
                            May 11, 2022 18:36:26.871653080 CEST5766953192.168.2.68.8.8.8
                            May 11, 2022 18:36:26.889264107 CEST53576698.8.8.8192.168.2.6
                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                            May 11, 2022 18:34:52.287666082 CEST192.168.2.68.8.8.80x6979Standard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                            May 11, 2022 18:34:59.093965054 CEST192.168.2.68.8.8.80x581bStandard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                            May 11, 2022 18:35:06.523456097 CEST192.168.2.68.8.8.80xfcc6Standard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                            May 11, 2022 18:35:12.681927919 CEST192.168.2.68.8.8.80xf6fcStandard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                            May 11, 2022 18:35:19.731717110 CEST192.168.2.68.8.8.80xbffStandard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                            May 11, 2022 18:35:25.857225895 CEST192.168.2.68.8.8.80x263Standard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                            May 11, 2022 18:35:32.226279974 CEST192.168.2.68.8.8.80x42baStandard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                            May 11, 2022 18:35:39.179836988 CEST192.168.2.68.8.8.80xcda1Standard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                            May 11, 2022 18:35:46.664163113 CEST192.168.2.68.8.8.80x9beaStandard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                            May 11, 2022 18:35:58.912822962 CEST192.168.2.68.8.8.80xd6ecStandard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                            May 11, 2022 18:36:06.740097046 CEST192.168.2.68.8.8.80x46f8Standard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                            May 11, 2022 18:36:12.778187037 CEST192.168.2.68.8.8.80xb4b2Standard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                            May 11, 2022 18:36:20.803953886 CEST192.168.2.68.8.8.80xa1b8Standard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                            May 11, 2022 18:36:26.871653080 CEST192.168.2.68.8.8.80x8cfStandard query (0)deranano2.ddns.netA (IP address)IN (0x0001)
                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                            May 11, 2022 18:34:52.306927919 CEST8.8.8.8192.168.2.60x6979No error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                            May 11, 2022 18:34:59.111686945 CEST8.8.8.8192.168.2.60x581bNo error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                            May 11, 2022 18:35:06.545044899 CEST8.8.8.8192.168.2.60xfcc6No error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                            May 11, 2022 18:35:12.701590061 CEST8.8.8.8192.168.2.60xf6fcNo error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                            May 11, 2022 18:35:19.753113031 CEST8.8.8.8192.168.2.60xbffNo error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                            May 11, 2022 18:35:25.877197981 CEST8.8.8.8192.168.2.60x263No error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                            May 11, 2022 18:35:32.245639086 CEST8.8.8.8192.168.2.60x42baNo error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                            May 11, 2022 18:35:39.201423883 CEST8.8.8.8192.168.2.60xcda1No error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                            May 11, 2022 18:35:46.681548119 CEST8.8.8.8192.168.2.60x9beaNo error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                            May 11, 2022 18:35:58.932028055 CEST8.8.8.8192.168.2.60xd6ecNo error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                            May 11, 2022 18:36:06.761792898 CEST8.8.8.8192.168.2.60x46f8No error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                            May 11, 2022 18:36:12.797620058 CEST8.8.8.8192.168.2.60xb4b2No error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                            May 11, 2022 18:36:20.825550079 CEST8.8.8.8192.168.2.60xa1b8No error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)
                            May 11, 2022 18:36:26.889264107 CEST8.8.8.8192.168.2.60x8cfNo error (0)deranano2.ddns.net212.193.30.204A (IP address)IN (0x0001)

                            Click to jump to process

                            Target ID:1
                            Start time:18:34:24
                            Start date:11/05/2022
                            Path:C:\Users\user\Desktop\QUOTATION.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\QUOTATION.exe"
                            Imagebase:0x100000
                            File size:707584 bytes
                            MD5 hash:DBFFB4682E330D635295CCDD92FE99C4
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.416586877.00000000024C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.418666280.00000000035CB000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.418666280.00000000035CB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.418666280.00000000035CB000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                            Reputation:low

                            Target ID:5
                            Start time:18:34:44
                            Start date:11/05/2022
                            Path:C:\Users\user\Desktop\QUOTATION.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Users\user\Desktop\QUOTATION.exe
                            Imagebase:0x650000
                            File size:707584 bytes
                            MD5 hash:DBFFB4682E330D635295CCDD92FE99C4
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.641608734.0000000006B90000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.641608734.0000000006B90000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.641608734.0000000006B90000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000000.411957545.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000000.411957545.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: NanoCore, Description: unknown, Source: 00000005.00000000.411957545.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.641634528.0000000006BB0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.641634528.0000000006BB0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.641634528.0000000006BB0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                            • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.640118033.0000000003DC1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.641805213.0000000006EA0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.641805213.0000000006EA0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.641805213.0000000006EA0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.641707073.0000000006D20000.00000004.00000001.00040000.00000000.sdmp, Author: Florian Roth
                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.641707073.0000000006D20000.00000004.00000001.00040000.00000000.sdmp, Author: Florian Roth
                            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.641707073.0000000006D20000.00000004.00000001.00040000.00000000.sdmp, Author: ditekSHen
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.638035787.0000000003B21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.641622424.0000000006BA0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.641622424.0000000006BA0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.641622424.0000000006BA0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000000.411127213.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000000.411127213.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: NanoCore, Description: unknown, Source: 00000005.00000000.411127213.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.630920607.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.630920607.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.630920607.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.641872775.0000000006EE0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.641872775.0000000006EE0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.641872775.0000000006EE0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.641519626.0000000006B40000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.641519626.0000000006B40000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.641519626.0000000006B40000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                            • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.640012845.0000000003D4E000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.641679892.0000000006D00000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.641679892.0000000006D00000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.641679892.0000000006D00000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.633949267.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.633949267.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                            • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.634509663.0000000002B68000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.641594280.0000000006B80000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.641594280.0000000006B80000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.641594280.0000000006B80000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.640953344.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.640953344.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.640953344.0000000005BC0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.641582210.0000000006B70000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.641582210.0000000006B70000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.641582210.0000000006B70000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.641008391.0000000005C60000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.641008391.0000000005C60000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.641008391.0000000005C60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.641008391.0000000005C60000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000000.413349942.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000000.413349942.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: NanoCore, Description: unknown, Source: 00000005.00000000.413349942.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.641782260.0000000006E90000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.641782260.0000000006E90000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.641782260.0000000006E90000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.641142160.0000000005ED0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.641142160.0000000005ED0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000005.00000002.641142160.0000000005ED0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000000.412616907.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000000.412616907.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: NanoCore, Description: unknown, Source: 00000005.00000000.412616907.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                            Reputation:low

                            No disassembly