Edit tour

Windows Analysis Report
wzkp8c4Z3F.exe

Overview

General Information

Sample Name:	wzkp8c4Z3F.exe
Analysis ID:	708261
MD5:	c143cac623fbf082adedd43cad691a69
SHA1:	62bd3d43d6e897922cf557d4e40f7d6d9035a4bf
SHA256:	3a542858ddb263f3b60a1c7340d508e7f392443e9ee8521d0c9e4a8289173fdf
Tags:	exeNanoCoreRAT
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Yara detected AntiVM3

Detected Nanocore Rat

Sigma detected: Scheduled temp file as task from temp location

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Binary contains a suspicious time stamp

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

wzkp8c4Z3F.exe (PID: 5336 cmdline: "C:\Users\user\Desktop\wzkp8c4Z3F.exe" MD5: C143CAC623FBF082ADEDD43CAD691A69)

wzkp8c4Z3F.exe (PID: 6004 cmdline: C:\Users\user\Desktop\wzkp8c4Z3F.exe MD5: C143CAC623FBF082ADEDD43CAD691A69)

schtasks.exe (PID: 5180 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpDBD9.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 4596 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpF6C5.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

wzkp8c4Z3F.exe (PID: 1544 cmdline: C:\Users\user\Desktop\wzkp8c4Z3F.exe 0 MD5: C143CAC623FBF082ADEDD43CAD691A69)

wzkp8c4Z3F.exe (PID: 3104 cmdline: C:\Users\user\Desktop\wzkp8c4Z3F.exe MD5: C143CAC623FBF082ADEDD43CAD691A69)

dhcpmon.exe (PID: 2004 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: C143CAC623FBF082ADEDD43CAD691A69)

dhcpmon.exe (PID: 6060 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: C143CAC623FBF082ADEDD43CAD691A69)

dhcpmon.exe (PID: 5528 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: C143CAC623FBF082ADEDD43CAD691A69)

dhcpmon.exe (PID: 5000 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: C143CAC623FBF082ADEDD43CAD691A69)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "9c6d4c8a-884b-4287-8ce0-7edf4a23", "Group": "X File", "Domain1": "jasonbourne.bounceme.net", "Domain2": "127.0.0.1", "Port": 4032, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.586234147.0000000005A10000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000001.00000002.586234147.0000000005A10000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000001.00000002.586234147.0000000005A10000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.586234147.0000000005A10000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
00000001.00000002.586234147.0000000005A10000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
00000001.00000000.318787004.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000000.318787004.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000000.318787004.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000001.00000000.318787004.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xff8d:$a1: NanoCore.ClientPluginHost 0xff4d:$a2: NanoCore.ClientPlugin 0x11ea6:$b1: get_BuilderSettings 0xfda9:$b2: ClientLoaderForm.resources 0x115c6:$b3: PluginCommand 0xff7e:$b4: IClientAppHost 0x1a3fe:$b5: GetBlockHash 0x124fe:$b6: AddHostEntry 0x161f1:$b7: LogClientException 0x1246b:$b8: PipeExists 0xffb7:$b9: IClientLoggingHost
00000001.00000002.587604607.0000000005C80000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
00000001.00000002.587604607.0000000005C80000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
00000001.00000002.587604607.0000000005C80000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x8b70:$i3: IClientNetwork 0x8b95:$i5: IClientDataHost 0x8bbf:$i6: IClientLoggingHost 0x8bd2:$i7: IClientNetworkHost 0x8be5:$i9: IClientNameObjectCollection 0x8902:$s1: ClientPlugin 0x8b88:$s1: ClientPlugin
00000001.00000002.587604607.0000000005C80000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x8bbf:$b9: IClientLoggingHost
00000001.00000002.597276168.0000000007A70000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
00000001.00000002.597276168.0000000007A70000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
00000001.00000002.597276168.0000000007A70000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5fc9:$x2: NanoCore.ClientPlugin 0x5fee:$x3: NanoCore.ClientPluginHost 0x5fba:$i3: IClientNetwork 0x5fdf:$i4: IClientAppHost 0x6008:$i5: IClientDataHost 0x6018:$i6: IClientLoggingHost 0x602b:$i7: IClientNetworkHost 0x603e:$i8: IClientUIHost 0x604c:$i9: IClientNameObjectCollection 0x5d70:$s1: ClientPlugin 0x5fd2:$s1: ClientPlugin
00000001.00000002.597276168.0000000007A70000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5fee:$a1: NanoCore.ClientPluginHost 0x5fc9:$a2: NanoCore.ClientPlugin 0x5fdf:$b4: IClientAppHost 0xa4ce:$b7: LogClientException 0x6018:$b9: IClientLoggingHost
00000000.00000002.323700911.00000000033BF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000001.00000002.595560442.00000000075E0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
00000001.00000002.595560442.00000000075E0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
00000001.00000002.595560442.00000000075E0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b87:$x2: NanoCore.ClientPlugin 0x5b0b:$x3: NanoCore.ClientPluginHost 0x5b9d:$i3: IClientNetwork 0x5b25:$i6: IClientLoggingHost 0x5b44:$i7: IClientNetworkHost 0x57fb:$s1: ClientPlugin 0x5b90:$s1: ClientPlugin 0x6cf4:$s3: IPAddress
00000001.00000002.595560442.00000000075E0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b0b:$a1: NanoCore.ClientPluginHost 0x5b87:$a2: NanoCore.ClientPlugin 0x6710:$b7: LogClientException 0x5b25:$b9: IClientLoggingHost
00000001.00000002.596333698.0000000007780000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
00000001.00000002.596333698.0000000007780000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
00000001.00000002.596333698.0000000007780000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b70:$x2: NanoCore.ClientPlugin 0x5b99:$x3: NanoCore.ClientPluginHost 0x5b61:$i3: IClientNetwork 0x5b86:$i6: IClientLoggingHost 0x5bb3:$i7: IClientNetworkHost 0x59d4:$s1: ClientPlugin 0x5b79:$s1: ClientPlugin 0x5e84:$s2: EndPoint 0x5e8d:$s3: IPAddress 0x5e97:$s4: IPEndPoint
00000001.00000002.596333698.0000000007780000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b99:$a1: NanoCore.ClientPluginHost 0x5b70:$a2: NanoCore.ClientPlugin 0x5b86:$b9: IClientLoggingHost
00000000.00000002.340095078.00000000045CD000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16776d:$x1: NanoCore.ClientPluginHost 0x19a38d:$x1: NanoCore.ClientPluginHost 0x1ccdad:$x1: NanoCore.ClientPluginHost 0x1677aa:$x2: IClientNetworkHost 0x19a3ca:$x2: IClientNetworkHost 0x1ccdea:$x2: IClientNetworkHost 0x16b2dd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x19defd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1d091d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.340095078.00000000045CD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.340095078.00000000045CD000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1674d5:$a: NanoCore 0x1674e5:$a: NanoCore 0x167719:$a: NanoCore 0x16772d:$a: NanoCore 0x16776d:$a: NanoCore 0x19a0f5:$a: NanoCore 0x19a105:$a: NanoCore 0x19a339:$a: NanoCore 0x19a34d:$a: NanoCore 0x19a38d:$a: NanoCore 0x1ccb15:$a: NanoCore 0x1ccb25:$a: NanoCore 0x1ccd59:$a: NanoCore 0x1ccd6d:$a: NanoCore 0x1ccdad:$a: NanoCore 0x167534:$b: ClientPlugin 0x167736:$b: ClientPlugin 0x167776:$b: ClientPlugin 0x19a154:$b: ClientPlugin 0x19a356:$b: ClientPlugin 0x19a396:$b: ClientPlugin
00000000.00000002.340095078.00000000045CD000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x16776d:$a1: NanoCore.ClientPluginHost 0x19a38d:$a1: NanoCore.ClientPluginHost 0x1ccdad:$a1: NanoCore.ClientPluginHost 0x16772d:$a2: NanoCore.ClientPlugin 0x19a34d:$a2: NanoCore.ClientPlugin 0x1ccd6d:$a2: NanoCore.ClientPlugin 0x169686:$b1: get_BuilderSettings 0x19c2a6:$b1: get_BuilderSettings 0x1cecc6:$b1: get_BuilderSettings 0x167589:$b2: ClientLoaderForm.resources 0x19a1a9:$b2: ClientLoaderForm.resources 0x1ccbc9:$b2: ClientLoaderForm.resources 0x168da6:$b3: PluginCommand 0x19b9c6:$b3: PluginCommand 0x1ce3e6:$b3: PluginCommand 0x16775e:$b4: IClientAppHost 0x19a37e:$b4: IClientAppHost 0x1ccd9e:$b4: IClientAppHost 0x171bde:$b5: GetBlockHash 0x1a47fe:$b5: GetBlockHash 0x1d721e:$b5: GetBlockHash
00000001.00000002.595841255.0000000007600000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
00000001.00000002.595841255.0000000007600000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
00000001.00000002.595841255.0000000007600000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x227f:$x2: NanoCore.ClientPlugin 0x2205:$x3: NanoCore.ClientPluginHost 0x2295:$i3: IClientNetwork 0x221f:$i6: IClientLoggingHost 0x223e:$i7: IClientNetworkHost 0x1f9f:$s1: ClientPlugin 0x2288:$s1: ClientPlugin
00000001.00000002.595841255.0000000007600000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2205:$a1: NanoCore.ClientPluginHost 0x227f:$a2: NanoCore.ClientPlugin 0x29a0:$b7: LogClientException 0x221f:$b9: IClientLoggingHost
00000001.00000002.579892381.0000000004477000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.579892381.0000000004477000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x7f8:$a: NanoCore 0x1bb4:$a: NanoCore 0x1bfe:$a: NanoCore 0x2858:$a: NanoCore 0xb622:$a: NanoCore 0xb70c:$a: NanoCore 0xc583:$a: NanoCore 0x1572f:$a: NanoCore 0x15790:$a: NanoCore 0x157d3:$a: NanoCore 0x15813:$a: NanoCore 0x15a4f:$a: NanoCore 0x15aef:$a: NanoCore 0x162c7:$a: NanoCore 0x168ba:$a: NanoCore 0x16a0b:$a: NanoCore 0x17865:$a: NanoCore 0x17acc:$a: NanoCore 0x17ae1:$a: NanoCore 0x17b00:$a: NanoCore 0x20a05:$a: NanoCore
00000001.00000002.579892381.0000000004477000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1bb4:$a1: NanoCore.ClientPluginHost 0xb622:$a1: NanoCore.ClientPluginHost 0x15a4f:$a1: NanoCore.ClientPluginHost 0x20a2e:$a1: NanoCore.ClientPluginHost 0x2c7d2:$a1: NanoCore.ClientPluginHost 0x516d8:$a1: NanoCore.ClientPluginHost 0x60b1a:$a1: NanoCore.ClientPluginHost 0x69dcf:$a1: NanoCore.ClientPluginHost 0x7d53d:$a1: NanoCore.ClientPluginHost 0x8b177:$a1: NanoCore.ClientPluginHost 0x9b393:$a1: NanoCore.ClientPluginHost 0x1bfe:$a2: NanoCore.ClientPlugin 0xb70c:$a2: NanoCore.ClientPlugin 0x15aef:$a2: NanoCore.ClientPlugin 0x20a05:$a2: NanoCore.ClientPlugin 0x2c7a9:$a2: NanoCore.ClientPlugin 0x516af:$a2: NanoCore.ClientPlugin 0x60af5:$a2: NanoCore.ClientPlugin 0x69d92:$a2: NanoCore.ClientPlugin 0x7d508:$a2: NanoCore.ClientPlugin 0x8b152:$a2: NanoCore.ClientPlugin
00000001.00000002.582097897.00000000045AD000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x560df:$a: NanoCore 0x561c9:$a: NanoCore 0x57040:$a: NanoCore 0x601ea:$a: NanoCore 0x6024b:$a: NanoCore 0x6028e:$a: NanoCore 0x602ce:$a: NanoCore 0x6050a:$a: NanoCore 0x605aa:$a: NanoCore 0x60d82:$a: NanoCore 0x61375:$a: NanoCore 0x614c6:$a: NanoCore 0x62320:$a: NanoCore 0x62587:$a: NanoCore 0x6259c:$a: NanoCore 0x625bb:$a: NanoCore 0x6b4be:$a: NanoCore 0x6b4e7:$a: NanoCore 0x77260:$a: NanoCore 0x77289:$a: NanoCore 0x9c14c:$a: NanoCore
00000001.00000002.582097897.00000000045AD000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x560df:$a1: NanoCore.ClientPluginHost 0x6050a:$a1: NanoCore.ClientPluginHost 0x6b4e7:$a1: NanoCore.ClientPluginHost 0x77289:$a1: NanoCore.ClientPluginHost 0x9c18d:$a1: NanoCore.ClientPluginHost 0xab5cd:$a1: NanoCore.ClientPluginHost 0x561c9:$a2: NanoCore.ClientPlugin 0x605aa:$a2: NanoCore.ClientPlugin 0x6b4be:$a2: NanoCore.ClientPlugin 0x77260:$a2: NanoCore.ClientPlugin 0x9c164:$a2: NanoCore.ClientPlugin 0xab5a8:$a2: NanoCore.ClientPlugin 0xab5be:$b4: IClientAppHost 0x57a22:$b7: LogClientException 0x61300:$b7: LogClientException 0x795d2:$b7: LogClientException 0xa11b8:$b7: LogClientException 0xafaad:$b7: LogClientException 0x57035:$b8: PipeExists 0x560f9:$b9: IClientLoggingHost 0x60524:$b9: IClientLoggingHost
00000001.00000002.578423356.000000000438F000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb4adc:$a1: NanoCore.ClientPluginHost 0xc4cfa:$a1: NanoCore.ClientPluginHost 0xd1e65:$a1: NanoCore.ClientPluginHost 0xdbcb9:$a1: NanoCore.ClientPluginHost 0xe3be1:$a1: NanoCore.ClientPluginHost 0xb4ab7:$a2: NanoCore.ClientPlugin 0xc4cd4:$a2: NanoCore.ClientPlugin 0xd1ee1:$a2: NanoCore.ClientPlugin 0xdbd35:$a2: NanoCore.ClientPlugin 0xe3c5b:$a2: NanoCore.ClientPlugin 0xb8479:$b1: get_BuilderSettings 0xb4acd:$b4: IClientAppHost 0xdc8be:$b7: LogClientException 0xe437c:$b7: LogClientException 0xc4d14:$b9: IClientLoggingHost 0xd1e7f:$b9: IClientLoggingHost 0xdbcd3:$b9: IClientLoggingHost 0xe3bfb:$b9: IClientLoggingHost
00000001.00000002.596002221.0000000007620000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
00000001.00000002.596002221.0000000007620000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
00000001.00000002.596002221.0000000007620000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5ad5:$x2: NanoCore.ClientPlugin 0x59eb:$x3: NanoCore.ClientPluginHost 0x5aeb:$i3: IClientNetwork 0x5a24:$i5: IClientDataHost 0x5a05:$i6: IClientLoggingHost 0x5b48:$i7: IClientNetworkHost 0x5a43:$i8: IClientUIHost 0x6955:$i9: IClientNameObjectCollection 0x54fc:$s1: ClientPlugin 0x5ade:$s1: ClientPlugin 0x6971:$s6: get_ClientSettings
00000001.00000002.596002221.0000000007620000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x59eb:$a1: NanoCore.ClientPluginHost 0x5ad5:$a2: NanoCore.ClientPlugin 0x732e:$b7: LogClientException 0x6941:$b8: PipeExists 0x5a05:$b9: IClientLoggingHost
00000001.00000002.595922296.0000000007610000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
00000001.00000002.595922296.0000000007610000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
00000001.00000002.595922296.0000000007610000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x13f2:$x2: NanoCore.ClientPlugin 0x13a8:$x3: NanoCore.ClientPluginHost 0x1408:$i3: IClientNetwork 0x13c2:$i6: IClientLoggingHost 0x1185:$s1: ClientPlugin 0x13fb:$s1: ClientPlugin
00000001.00000002.595922296.0000000007610000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x13a8:$a1: NanoCore.ClientPluginHost 0x13f2:$a2: NanoCore.ClientPlugin 0x13c2:$b9: IClientLoggingHost
00000001.00000002.596141792.0000000007630000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
00000001.00000002.596141792.0000000007630000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
00000001.00000002.596141792.0000000007630000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3a8b:$x2: NanoCore.ClientPlugin 0x39eb:$x3: NanoCore.ClientPluginHost 0x3aa1:$i3: IClientNetwork 0x3a43:$i5: IClientDataHost 0x3a05:$i6: IClientLoggingHost 0x3a24:$i7: IClientNetworkHost 0x426c:$i9: IClientNameObjectCollection 0x3741:$s1: ClientPlugin 0x3a94:$s1: ClientPlugin 0x4680:$s2: EndPoint 0x4371:$s3: IPAddress 0x3c83:$s4: IPEndPoint 0x43a3:$s7: get_Connected
00000001.00000002.596141792.0000000007630000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x39eb:$a1: NanoCore.ClientPluginHost 0x3a8b:$a2: NanoCore.ClientPlugin 0x47e1:$b7: LogClientException 0x3a05:$b9: IClientLoggingHost
00000001.00000003.358154679.000000000172E000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x29dc:$a1: NanoCore.ClientPluginHost 0x29b7:$a2: NanoCore.ClientPlugin 0x29cd:$b4: IClientAppHost 0x6ebc:$b7: LogClientException 0x2a06:$b9: IClientLoggingHost
0000000B.00000002.431461213.0000000003E49000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000002.431461213.0000000003E49000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x435bd:$a: NanoCore 0x43616:$a: NanoCore 0x43653:$a: NanoCore 0x436cc:$a: NanoCore 0x56d77:$a: NanoCore 0x56d8c:$a: NanoCore 0x56dc1:$a: NanoCore 0x6fd63:$a: NanoCore 0x6fd78:$a: NanoCore 0x6fdad:$a: NanoCore 0x4361f:$b: ClientPlugin 0x4365c:$b: ClientPlugin 0x43f5a:$b: ClientPlugin 0x43f67:$b: ClientPlugin 0x56b33:$b: ClientPlugin 0x56b4e:$b: ClientPlugin 0x56b7e:$b: ClientPlugin 0x56d95:$b: ClientPlugin 0x56dca:$b: ClientPlugin 0x6fb1f:$b: ClientPlugin 0x6fb3a:$b: ClientPlugin
0000000B.00000002.431461213.0000000003E49000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x43653:$a1: NanoCore.ClientPluginHost 0x56dc1:$a1: NanoCore.ClientPluginHost 0x6fdad:$a1: NanoCore.ClientPluginHost 0x43616:$a2: NanoCore.ClientPlugin 0x56d8c:$a2: NanoCore.ClientPlugin 0x6fd78:$a2: NanoCore.ClientPlugin 0x439ea:$b1: get_BuilderSettings 0x5bd07:$b1: get_BuilderSettings 0x74cf3:$b1: get_BuilderSettings 0x436a1:$b4: IClientAppHost 0x43a5b:$b6: AddHostEntry 0x43aca:$b7: LogClientException 0x5bc76:$b7: LogClientException 0x74c62:$b7: LogClientException 0x43a3f:$b8: PipeExists 0x4368e:$b9: IClientLoggingHost 0x56ddb:$b9: IClientLoggingHost 0x6fdc7:$b9: IClientLoggingHost
00000001.00000002.596606327.00000000077A0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
00000001.00000002.596606327.00000000077A0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
00000001.00000002.596606327.00000000077A0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x34e2:$x2: NanoCore.ClientPlugin 0x350b:$x3: NanoCore.ClientPluginHost 0x34d3:$i3: IClientNetwork 0x34f8:$i6: IClientLoggingHost 0x3525:$i7: IClientNetworkHost 0x334e:$s1: ClientPlugin 0x34eb:$s1: ClientPlugin
00000001.00000002.596606327.00000000077A0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x350b:$a1: NanoCore.ClientPluginHost 0x34e2:$a2: NanoCore.ClientPlugin 0x5854:$b7: LogClientException 0x34f8:$b9: IClientLoggingHost
00000001.00000002.577659680.00000000042C1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x27b0b:$a1: NanoCore.ClientPluginHost 0x27ae2:$a2: NanoCore.ClientPlugin 0x2cb36:$b7: LogClientException 0x27af8:$b9: IClientLoggingHost
00000001.00000002.581112990.000000000451D000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2244:$a: NanoCore 0x229d:$a: NanoCore 0x22d0:$a: NanoCore 0x24fc:$a: NanoCore 0x2578:$a: NanoCore 0x2b91:$a: NanoCore 0x2cda:$a: NanoCore 0x31ae:$a: NanoCore 0x3495:$a: NanoCore 0x34ac:$a: NanoCore 0x8a4a:$a: NanoCore 0x8ac4:$a: NanoCore 0xd661:$a: NanoCore 0xea1b:$a: NanoCore 0xea65:$a: NanoCore 0xf6bf:$a: NanoCore 0x18487:$a: NanoCore 0x18571:$a: NanoCore 0x193e8:$a: NanoCore 0x22592:$a: NanoCore 0x225f3:$a: NanoCore
00000001.00000002.581112990.000000000451D000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x24fc:$a1: NanoCore.ClientPluginHost 0x8a4a:$a1: NanoCore.ClientPluginHost 0xea1b:$a1: NanoCore.ClientPluginHost 0x18487:$a1: NanoCore.ClientPluginHost 0x228b2:$a1: NanoCore.ClientPluginHost 0x2d88f:$a1: NanoCore.ClientPluginHost 0x39631:$a1: NanoCore.ClientPluginHost 0x5e535:$a1: NanoCore.ClientPluginHost 0x6d975:$a1: NanoCore.ClientPluginHost 0x7abca:$a1: NanoCore.ClientPluginHost 0x85ba7:$a1: NanoCore.ClientPluginHost 0x2578:$a2: NanoCore.ClientPlugin 0x8ac4:$a2: NanoCore.ClientPlugin 0xea65:$a2: NanoCore.ClientPlugin 0x18571:$a2: NanoCore.ClientPlugin 0x22952:$a2: NanoCore.ClientPlugin 0x2d866:$a2: NanoCore.ClientPlugin 0x39608:$a2: NanoCore.ClientPlugin 0x5e50c:$a2: NanoCore.ClientPlugin 0x6d950:$a2: NanoCore.ClientPlugin 0x7ac6a:$a2: NanoCore.ClientPlugin
00000001.00000002.596732046.00000000077B0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
00000001.00000002.596732046.00000000077B0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
00000001.00000002.596732046.00000000077B0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1f1b2:$x2: NanoCore.ClientPlugin 0x1f1db:$x3: NanoCore.ClientPluginHost 0x1f1a3:$i3: IClientNetwork 0x1f1c8:$i6: IClientLoggingHost 0x1f1f5:$i7: IClientNetworkHost 0x1f208:$i8: IClientUIHost 0x1ef12:$s1: ClientPlugin 0x1f1bb:$s1: ClientPlugin
00000001.00000002.596732046.00000000077B0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1f1db:$a1: NanoCore.ClientPluginHost 0x1f1b2:$a2: NanoCore.ClientPlugin 0x24206:$b7: LogClientException 0x1f1c8:$b9: IClientLoggingHost
0000000C.00000002.431374912.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.431374912.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x69463:$a: NanoCore 0x694bc:$a: NanoCore 0x694f9:$a: NanoCore 0x69572:$a: NanoCore 0x694c5:$b: ClientPlugin 0x69502:$b: ClientPlugin 0x69e00:$b: ClientPlugin 0x69e0d:$b: ClientPlugin 0x5f5df:$e: KeepAlive 0x6994d:$g: LogClientMessage 0x698cd:$i: get_Connected 0x59899:$j: #=q 0x598c9:$j: #=q 0x59905:$j: #=q 0x5992d:$j: #=q 0x5995d:$j: #=q 0x5998d:$j: #=q 0x599bd:$j: #=q 0x599ed:$j: #=q 0x59a09:$j: #=q 0x59a39:$j: #=q
0000000C.00000002.431374912.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x694f9:$a1: NanoCore.ClientPluginHost 0x694bc:$a2: NanoCore.ClientPlugin 0x5add3:$b1: get_BuilderSettings 0x69890:$b1: get_BuilderSettings 0x69547:$b4: IClientAppHost 0x69901:$b6: AddHostEntry 0x5ad42:$b7: LogClientException 0x69970:$b7: LogClientException 0x698e5:$b8: PipeExists 0x69534:$b9: IClientLoggingHost
00000001.00000002.586144489.0000000005A00000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000001.00000002.586144489.0000000005A00000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000001.00000002.586144489.0000000005A00000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
00000001.00000002.586144489.0000000005A00000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
0000000B.00000002.427695686.0000000002E41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000002.427695686.0000000002E41000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x69367:$a: NanoCore 0x693c0:$a: NanoCore 0x693fd:$a: NanoCore 0x69476:$a: NanoCore 0x693c9:$b: ClientPlugin 0x69406:$b: ClientPlugin 0x69d04:$b: ClientPlugin 0x69d11:$b: ClientPlugin 0x5f4e3:$e: KeepAlive 0x69851:$g: LogClientMessage 0x697d1:$i: get_Connected 0x5979d:$j: #=q 0x597cd:$j: #=q 0x59809:$j: #=q 0x59831:$j: #=q 0x59861:$j: #=q 0x59891:$j: #=q 0x598c1:$j: #=q 0x598f1:$j: #=q 0x5990d:$j: #=q 0x5993d:$j: #=q
0000000B.00000002.427695686.0000000002E41000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x693fd:$a1: NanoCore.ClientPluginHost 0x693c0:$a2: NanoCore.ClientPlugin 0x5acd7:$b1: get_BuilderSettings 0x69794:$b1: get_BuilderSettings 0x6944b:$b4: IClientAppHost 0x69805:$b6: AddHostEntry 0x5ac46:$b7: LogClientException 0x69874:$b7: LogClientException 0x697e9:$b8: PipeExists 0x69438:$b9: IClientLoggingHost
00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x5089f:$a: NanoCore 0x508f8:$a: NanoCore 0x50935:$a: NanoCore 0x509ae:$a: NanoCore 0x79eca:$a: NanoCore 0x79eef:$a: NanoCore 0x79f48:$a: NanoCore 0x9c1ef:$a: NanoCore 0x9c215:$a: NanoCore 0x9c271:$a: NanoCore 0xa910b:$a: NanoCore 0xa9164:$a: NanoCore 0xa9197:$a: NanoCore 0xa93c3:$a: NanoCore 0xa943f:$a: NanoCore 0xa9a58:$a: NanoCore 0xa9ba1:$a: NanoCore 0xaa075:$a: NanoCore 0xaa35c:$a: NanoCore 0xaa373:$a: NanoCore 0xb3257:$a: NanoCore
00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x50935:$a1: NanoCore.ClientPluginHost 0x79eef:$a1: NanoCore.ClientPluginHost 0x9c215:$a1: NanoCore.ClientPluginHost 0xa93c3:$a1: NanoCore.ClientPluginHost 0xb3257:$a1: NanoCore.ClientPluginHost 0xbb1c1:$a1: NanoCore.ClientPluginHost 0xc11d8:$a1: NanoCore.ClientPluginHost 0xcac87:$a1: NanoCore.ClientPluginHost 0xd50f7:$a1: NanoCore.ClientPluginHost 0xe011d:$a1: NanoCore.ClientPluginHost 0xebf07:$a1: NanoCore.ClientPluginHost 0xf7cc6:$a1: NanoCore.ClientPluginHost 0x508f8:$a2: NanoCore.ClientPlugin 0x79eca:$a2: NanoCore.ClientPlugin 0x9c1ef:$a2: NanoCore.ClientPlugin 0xa943f:$a2: NanoCore.ClientPlugin 0xb32d3:$a2: NanoCore.ClientPlugin 0xbb23b:$a2: NanoCore.ClientPlugin 0xc1222:$a2: NanoCore.ClientPlugin 0xcad71:$a2: NanoCore.ClientPlugin 0xd5197:$a2: NanoCore.ClientPlugin
00000008.00000002.398660819.000000000344F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000001.00000002.587474125.0000000005C70000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
00000001.00000002.587474125.0000000005C70000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
00000001.00000002.587474125.0000000005C70000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x4b87:$i3: IClientNetwork 0x4bac:$i4: IClientAppHost 0x4bd5:$i5: IClientDataHost 0x4be5:$i7: IClientNetworkHost 0x4bf8:$i9: IClientNameObjectCollection 0x4c1d:$i10: IClientReadOnlyNameObjectCollection 0x49ce:$s1: ClientPlugin 0x4b9f:$s1: ClientPlugin
00000001.00000002.587474125.0000000005C70000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x4b96:$a2: NanoCore.ClientPlugin 0x8558:$b1: get_BuilderSettings 0x4bac:$b4: IClientAppHost
00000001.00000002.595445386.0000000007330000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
00000001.00000002.595445386.0000000007330000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
00000001.00000002.595445386.0000000007330000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0x1775:$i3: IClientNetwork 0x16fd:$i6: IClientLoggingHost 0x171c:$i7: IClientNetworkHost 0x1491:$s1: ClientPlugin 0x1768:$s1: ClientPlugin
00000001.00000002.595445386.0000000007330000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x16e3:$a1: NanoCore.ClientPluginHost 0x175f:$a2: NanoCore.ClientPlugin 0x16fd:$b9: IClientLoggingHost
Process Memory Space: wzkp8c4Z3F.exe PID: 5336	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4c51d:$x1: NanoCore.ClientPluginHost 0x4c55a:$x2: IClientNetworkHost 0x4f986:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5a625:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x664fd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7188e:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: wzkp8c4Z3F.exe PID: 5336	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: wzkp8c4Z3F.exe PID: 5336	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: wzkp8c4Z3F.exe PID: 5336	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4c2ad:$a: NanoCore 0x4c2bd:$a: NanoCore 0x4c327:$a: NanoCore 0x4c336:$a: NanoCore 0x4c4c9:$a: NanoCore 0x4c4dd:$a: NanoCore 0x4c51d:$a: NanoCore 0x56c8f:$a: NanoCore 0x56ca1:$a: NanoCore 0x56cdd:$a: NanoCore 0x62b67:$a: NanoCore 0x62b79:$a: NanoCore 0x62bb5:$a: NanoCore 0x6def8:$a: NanoCore 0x6df0a:$a: NanoCore 0x6df46:$a: NanoCore 0x4c2d1:$b: ClientPlugin 0x4c380:$b: ClientPlugin 0x4c4e6:$b: ClientPlugin 0x4c526:$b: ClientPlugin 0x56caa:$b: ClientPlugin
Process Memory Space: wzkp8c4Z3F.exe PID: 5336	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4c51d:$a1: NanoCore.ClientPluginHost 0x4c4dd:$a2: NanoCore.ClientPlugin 0x4dd5e:$b1: get_BuilderSettings 0x4c30c:$b2: ClientLoaderForm.resources 0x4d49b:$b3: PluginCommand 0x4c50e:$b4: IClientAppHost 0x5627a:$b5: GetBlockHash 0x4e399:$b6: AddHostEntry 0x590bf:$b6: AddHostEntry 0x64f97:$b6: AddHostEntry 0x70328:$b6: AddHostEntry 0x5207a:$b7: LogClientException 0x5cc00:$b7: LogClientException 0x68ad8:$b7: LogClientException 0x73e69:$b7: LogClientException 0x4e306:$b8: PipeExists 0x59033:$b8: PipeExists 0x64f0b:$b8: PipeExists 0x7029c:$b8: PipeExists 0x4c547:$b9: IClientLoggingHost
Process Memory Space: wzkp8c4Z3F.exe PID: 6004	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8b07:$x1: NanoCore.ClientPluginHost 0x232f6:$x1: NanoCore.ClientPluginHost 0x2eec5:$x1: NanoCore.ClientPluginHost 0x3cef6:$x1: NanoCore.ClientPluginHost 0x4d14e:$x1: NanoCore.ClientPluginHost 0xbad7b:$x1: NanoCore.ClientPluginHost 0xc4a5d:$x1: NanoCore.ClientPluginHost 0x10bc91:$x1: NanoCore.ClientPluginHost 0x142e0b:$x1: NanoCore.ClientPluginHost 0x15fe05:$x1: NanoCore.ClientPluginHost 0x1b98ee:$x1: NanoCore.ClientPluginHost 0x1bb178:$x1: NanoCore.ClientPluginHost 0x1ca58a:$x1: NanoCore.ClientPluginHost 0x1df731:$x1: NanoCore.ClientPluginHost 0x22ccaf:$x1: NanoCore.ClientPluginHost 0x240110:$x1: NanoCore.ClientPluginHost 0x25e0a8:$x1: NanoCore.ClientPluginHost 0x27e236:$x1: NanoCore.ClientPluginHost 0x8b44:$x2: IClientNetworkHost 0x23333:$x2: IClientNetworkHost 0x2eefe:$x2: IClientNetworkHost
Process Memory Space: wzkp8c4Z3F.exe PID: 6004	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: wzkp8c4Z3F.exe PID: 6004	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x87d4:$a: NanoCore 0x87e4:$a: NanoCore 0x88a3:$a: NanoCore 0x88b2:$a: NanoCore 0x8ab3:$a: NanoCore 0x8ac7:$a: NanoCore 0x8b07:$a: NanoCore 0x13d25:$a: NanoCore 0x13d37:$a: NanoCore 0x13d73:$a: NanoCore 0x232b9:$a: NanoCore 0x232d1:$a: NanoCore 0x232f6:$a: NanoCore 0x27a88:$a: NanoCore 0x27a9e:$a: NanoCore 0x27ac1:$a: NanoCore 0x2eec5:$a: NanoCore 0x2ef41:$a: NanoCore 0x30521:$a: NanoCore 0x30595:$a: NanoCore 0x31e66:$a: NanoCore
Process Memory Space: wzkp8c4Z3F.exe PID: 6004	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8b07:$a1: NanoCore.ClientPluginHost 0x232f6:$a1: NanoCore.ClientPluginHost 0x2eec5:$a1: NanoCore.ClientPluginHost 0x3cef6:$a1: NanoCore.ClientPluginHost 0x4d14e:$a1: NanoCore.ClientPluginHost 0xbad7b:$a1: NanoCore.ClientPluginHost 0xc4a5d:$a1: NanoCore.ClientPluginHost 0x10bc91:$a1: NanoCore.ClientPluginHost 0x142e0b:$a1: NanoCore.ClientPluginHost 0x15fe05:$a1: NanoCore.ClientPluginHost 0x1b98ee:$a1: NanoCore.ClientPluginHost 0x1bb178:$a1: NanoCore.ClientPluginHost 0x1ca58a:$a1: NanoCore.ClientPluginHost 0x1df731:$a1: NanoCore.ClientPluginHost 0x22ccaf:$a1: NanoCore.ClientPluginHost 0x240110:$a1: NanoCore.ClientPluginHost 0x25e0a8:$a1: NanoCore.ClientPluginHost 0x27e236:$a1: NanoCore.ClientPluginHost 0x8ac7:$a2: NanoCore.ClientPlugin 0x232d1:$a2: NanoCore.ClientPlugin 0x2ef41:$a2: NanoCore.ClientPlugin
Process Memory Space: dhcpmon.exe PID: 2004	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: wzkp8c4Z3F.exe PID: 3104	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: wzkp8c4Z3F.exe PID: 3104	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2ded:$a: NanoCore 0x5332:$a: NanoCore 0x538b:$a: NanoCore 0x53c8:$a: NanoCore 0x5441:$a: NanoCore 0x5cfa:$a: NanoCore 0x5d4d:$a: NanoCore 0x5d86:$a: NanoCore 0x5df9:$a: NanoCore 0xd3cb:$a: NanoCore 0xd3de:$a: NanoCore 0xd410:$a: NanoCore 0x130fb:$a: NanoCore 0x1310e:$a: NanoCore 0x13140:$a: NanoCore 0x18192:$a: NanoCore 0x181a6:$a: NanoCore 0x18f16:$a: NanoCore 0x1db1f:$a: NanoCore 0x1db7a:$a: NanoCore 0x1dbee:$a: NanoCore
Process Memory Space: wzkp8c4Z3F.exe PID: 3104	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x53c8:$a1: NanoCore.ClientPluginHost 0x3316e:$a1: NanoCore.ClientPluginHost 0x538b:$a2: NanoCore.ClientPlugin 0x33131:$a2: NanoCore.ClientPlugin 0x5742:$b1: get_BuilderSettings 0x2c8c3:$b1: get_BuilderSettings 0x5416:$b4: IClientAppHost 0x331bc:$b4: IClientAppHost 0x57b3:$b6: AddHostEntry 0x334cf:$b6: AddHostEntry 0x5822:$b7: LogClientException 0x2c832:$b7: LogClientException 0x5797:$b8: PipeExists 0x334b3:$b8: PipeExists 0x5403:$b9: IClientLoggingHost 0x331a9:$b9: IClientLoggingHost
Process Memory Space: dhcpmon.exe PID: 6060	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 6060	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1170:$a: NanoCore 0x1298:$a: NanoCore 0x12ac:$a: NanoCore 0x1fb3:$a: NanoCore 0xbda7:$a: NanoCore 0xbe02:$a: NanoCore 0xbe76:$a: NanoCore 0x21403:$a: NanoCore 0x2145c:$a: NanoCore 0x21499:$a: NanoCore 0x21512:$a: NanoCore 0x21ca0:$a: NanoCore 0x21cf3:$a: NanoCore 0x21d2c:$a: NanoCore 0x21d9f:$a: NanoCore 0x228ba:$a: NanoCore 0x1c766:$b: ClientPlugin 0x1c7a7:$b: ClientPlugin 0x21465:$b: ClientPlugin 0x214a2:$b: ClientPlugin 0x21c50:$b: ClientPlugin
Process Memory Space: dhcpmon.exe PID: 6060	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x21499:$a1: NanoCore.ClientPluginHost 0x2145c:$a2: NanoCore.ClientPlugin 0x1abee:$b1: get_BuilderSettings 0x214e7:$b4: IClientAppHost 0x217fa:$b6: AddHostEntry 0x1ab5d:$b7: LogClientException 0x217de:$b8: PipeExists 0x214d4:$b9: IClientLoggingHost
Click to see the 100 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.wzkp8c4Z3F.exe.3354670.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.3354670.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.3354670.2.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x6d7f:$x2: NanoCore.ClientPlugin 0x6da5:$x3: NanoCore.ClientPluginHost 0x6d70:$i3: IClientNetwork 0x6d95:$i5: IClientDataHost 0x6dbf:$i6: IClientLoggingHost 0x6dd2:$i7: IClientNetworkHost 0x6de5:$i9: IClientNameObjectCollection 0x6b02:$s1: ClientPlugin 0x6d88:$s1: ClientPlugin
1.2.wzkp8c4Z3F.exe.3354670.2.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6da5:$a1: NanoCore.ClientPluginHost 0x6d7f:$a2: NanoCore.ClientPlugin 0x6dbf:$b9: IClientLoggingHost
11.2.wzkp8c4Z3F.exe.2ea9588.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
11.2.wzkp8c4Z3F.exe.2ea9588.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
11.2.wzkp8c4Z3F.exe.2ea9588.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
11.2.wzkp8c4Z3F.exe.2ea9588.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.7330000.25.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.7330000.25.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.7330000.25.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0x1775:$i3: IClientNetwork 0x16fd:$i6: IClientLoggingHost 0x171c:$i7: IClientNetworkHost 0x1491:$s1: ClientPlugin 0x1768:$s1: ClientPlugin
1.2.wzkp8c4Z3F.exe.7330000.25.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x16e3:$a1: NanoCore.ClientPluginHost 0x175f:$a2: NanoCore.ClientPlugin 0x16fd:$b9: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.5a14629.21.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.5a14629.21.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.5a14629.21.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.wzkp8c4Z3F.exe.5a14629.21.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0xb165:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin 0xb158:$s1: ClientPlugin 0x10179:$s6: get_ClientSettings
1.2.wzkp8c4Z3F.exe.5a14629.21.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.7780000.31.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.7780000.31.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.7780000.31.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b70:$x2: NanoCore.ClientPlugin 0x5b99:$x3: NanoCore.ClientPluginHost 0x5b61:$i3: IClientNetwork 0x5b86:$i6: IClientLoggingHost 0x5bb3:$i7: IClientNetworkHost 0x59d4:$s1: ClientPlugin 0x5b79:$s1: ClientPlugin 0x5e84:$s2: EndPoint 0x5e8d:$s3: IPAddress 0x5e97:$s4: IPEndPoint
1.2.wzkp8c4Z3F.exe.7780000.31.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b99:$a1: NanoCore.ClientPluginHost 0x5b70:$a2: NanoCore.ClientPlugin 0x5b86:$b9: IClientLoggingHost
11.2.wzkp8c4Z3F.exe.3e8b7de.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5cf:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d5fc:$x2: IClientNetworkHost
11.2.wzkp8c4Z3F.exe.3e8b7de.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5cf:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6aa:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5e9:$s5: IClientLoggingHost
11.2.wzkp8c4Z3F.exe.3e8b7de.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.wzkp8c4Z3F.exe.3e8b7de.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x145ae:$x2: NanoCore.ClientPlugin 0x2d59a:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x145e3:$x3: NanoCore.ClientPluginHost 0x2d5cf:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0x145a2:$i2: IClientData 0x2d58e:$i2: IClientData 0xe29:$i3: IClientNetwork 0x145c4:$i3: IClientNetwork 0x2d5b0:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0x145d3:$i5: IClientDataHost 0x2d5bf:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0x145fd:$i6: IClientLoggingHost 0x2d5e9:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost
11.2.wzkp8c4Z3F.exe.3e8b7de.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d585:$a: NanoCore 0x2d59a:$a: NanoCore 0x2d5cf:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d341:$b: ClientPlugin 0x2d35c:$b: ClientPlugin
11.2.wzkp8c4Z3F.exe.3e8b7de.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0x145e3:$a1: NanoCore.ClientPluginHost 0x2d5cf:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x145ae:$a2: NanoCore.ClientPlugin 0x2d59a:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0x19529:$b1: get_BuilderSettings 0x32515:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x19498:$b7: LogClientException 0x32484:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost 0x145fd:$b9: IClientLoggingHost 0x2d5e9:$b9: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.447cc37.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3deb:$x1: NanoCore.ClientPluginHost 0xb018:$x1: NanoCore.ClientPluginHost 0x3f48:$x2: IClientNetworkHost 0xb051:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.447cc37.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3deb:$x2: NanoCore.ClientPluginHost 0xb018:$x2: NanoCore.ClientPluginHost 0x4d41:$s3: PipeExists 0x3fe1:$s4: PipeCreated 0xb163:$s4: PipeCreated 0x3e05:$s5: IClientLoggingHost 0xb032:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.447cc37.12.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3ed5:$x2: NanoCore.ClientPlugin 0xb0b8:$x2: NanoCore.ClientPlugin 0x3deb:$x3: NanoCore.ClientPluginHost 0xb018:$x3: NanoCore.ClientPluginHost 0x3eeb:$i3: IClientNetwork 0xb0ce:$i3: IClientNetwork 0x3e24:$i5: IClientDataHost 0xb070:$i5: IClientDataHost 0x3e05:$i6: IClientLoggingHost 0xb032:$i6: IClientLoggingHost 0x3f48:$i7: IClientNetworkHost 0xb051:$i7: IClientNetworkHost 0x3e43:$i8: IClientUIHost 0x4d55:$i9: IClientNameObjectCollection 0xb899:$i9: IClientNameObjectCollection 0x38fc:$s1: ClientPlugin 0x3ede:$s1: ClientPlugin 0xad6e:$s1: ClientPlugin 0xb0c1:$s1: ClientPlugin 0xbcad:$s2: EndPoint 0xb99e:$s3: IPAddress
1.2.wzkp8c4Z3F.exe.447cc37.12.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3deb:$a1: NanoCore.ClientPluginHost 0xb018:$a1: NanoCore.ClientPluginHost 0x3ed5:$a2: NanoCore.ClientPlugin 0xb0b8:$a2: NanoCore.ClientPlugin 0x572e:$b7: LogClientException 0xbe0e:$b7: LogClientException 0x4d41:$b8: PipeExists 0x3e05:$b9: IClientLoggingHost 0xb032:$b9: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.42c9930.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.42c9930.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.42c9930.5.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1d3b2:$x2: NanoCore.ClientPlugin 0x1d3db:$x3: NanoCore.ClientPluginHost 0x1d3a3:$i3: IClientNetwork 0x1d3c8:$i6: IClientLoggingHost 0x1d3f5:$i7: IClientNetworkHost 0x1d408:$i8: IClientUIHost 0x1d112:$s1: ClientPlugin 0x1d3bb:$s1: ClientPlugin
1.2.wzkp8c4Z3F.exe.42c9930.5.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1d3db:$a1: NanoCore.ClientPluginHost 0x1d3b2:$a2: NanoCore.ClientPlugin 0x22406:$b7: LogClientException 0x1d3c8:$b9: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.7630000.30.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.7630000.30.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.7630000.30.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1e8b:$x2: NanoCore.ClientPlugin 0x1deb:$x3: NanoCore.ClientPluginHost 0x1ea1:$i3: IClientNetwork 0x1e43:$i5: IClientDataHost 0x1e05:$i6: IClientLoggingHost 0x1e24:$i7: IClientNetworkHost 0x266c:$i9: IClientNameObjectCollection 0x1b41:$s1: ClientPlugin 0x1e94:$s1: ClientPlugin 0x2a80:$s2: EndPoint 0x2771:$s3: IPAddress 0x2083:$s4: IPEndPoint 0x27a3:$s7: get_Connected
1.2.wzkp8c4Z3F.exe.7630000.30.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1deb:$a1: NanoCore.ClientPluginHost 0x1e8b:$a2: NanoCore.ClientPlugin 0x2be1:$b7: LogClientException 0x1e05:$b9: IClientLoggingHost
0.2.wzkp8c4Z3F.exe.47245e0.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42dad:$x1: NanoCore.ClientPluginHost 0x757cd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42dea:$x2: IClientNetworkHost 0x7580a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4691d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7933d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.wzkp8c4Z3F.exe.47245e0.10.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.wzkp8c4Z3F.exe.47245e0.10.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x42b15:$x1: NanoCore Client 0x42b25:$x1: NanoCore Client 0x75535:$x1: NanoCore Client 0x75545:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x42d6d:$x2: NanoCore.ClientPlugin 0x7578d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x42dad:$x3: NanoCore.ClientPluginHost 0x757cd:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x42d62:$i1: IClientApp 0x75782:$i1: IClientApp 0x10163:$i2: IClientData 0x42d83:$i2: IClientData 0x757a3:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x42d8f:$i3: IClientNetwork 0x757af:$i3: IClientNetwork
0.2.wzkp8c4Z3F.exe.47245e0.10.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42b15:$a: NanoCore 0x42b25:$a: NanoCore 0x42d59:$a: NanoCore 0x42d6d:$a: NanoCore 0x42dad:$a: NanoCore 0x75535:$a: NanoCore 0x75545:$a: NanoCore 0x75779:$a: NanoCore 0x7578d:$a: NanoCore 0x757cd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42b74:$b: ClientPlugin 0x42d76:$b: ClientPlugin 0x42db6:$b: ClientPlugin
0.2.wzkp8c4Z3F.exe.47245e0.10.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x42dad:$a1: NanoCore.ClientPluginHost 0x757cd:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x42d6d:$a2: NanoCore.ClientPlugin 0x7578d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0x44cc6:$b1: get_BuilderSettings 0x776e6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x42bc9:$b2: ClientLoaderForm.resources 0x755e9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x443e6:$b3: PluginCommand 0x76e06:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x42d9e:$b4: IClientAppHost 0x757be:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x4d21e:$b5: GetBlockHash 0x7fc3e:$b5: GetBlockHash
1.2.wzkp8c4Z3F.exe.4609b1f.17.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0xe9c8:$x1: NanoCore.ClientPluginHost 0x1a76a:$x1: NanoCore.ClientPluginHost 0x3f66e:$x1: NanoCore.ClientPluginHost 0x4eaae:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost 0xe9e2:$x2: IClientNetworkHost 0x1a784:$x2: IClientNetworkHost 0x3f688:$x2: IClientNetworkHost 0x4eaeb:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.4609b1f.17.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0xe9c8:$x2: NanoCore.ClientPluginHost 0x1a76a:$x2: NanoCore.ClientPluginHost 0x3f66e:$x2: NanoCore.ClientPluginHost 0x4eaae:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0xf9fd:$s4: PipeCreated 0x1c515:$s4: PipeCreated 0x429ab:$s4: PipeCreated 0x51f01:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost 0xe9b5:$s5: IClientLoggingHost 0x1a757:$s5: IClientLoggingHost 0x3f65b:$s5: IClientLoggingHost 0x4ead8:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.4609b1f.17.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3a8b:$x2: NanoCore.ClientPlugin 0xe99f:$x2: NanoCore.ClientPlugin 0x1a741:$x2: NanoCore.ClientPlugin 0x3f645:$x2: NanoCore.ClientPlugin 0x4ea89:$x2: NanoCore.ClientPlugin 0x39eb:$x3: NanoCore.ClientPluginHost 0xe9c8:$x3: NanoCore.ClientPluginHost 0x1a76a:$x3: NanoCore.ClientPluginHost 0x3f66e:$x3: NanoCore.ClientPluginHost 0x4eaae:$x3: NanoCore.ClientPluginHost 0x3aa1:$i3: IClientNetwork 0xe990:$i3: IClientNetwork 0x1a732:$i3: IClientNetwork 0x3f636:$i3: IClientNetwork 0x4ea7a:$i3: IClientNetwork 0x4ea9f:$i4: IClientAppHost 0x3a43:$i5: IClientDataHost 0x4eac8:$i5: IClientDataHost 0x3a05:$i6: IClientLoggingHost 0xe9b5:$i6: IClientLoggingHost 0x1a757:$i6: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.4609b1f.17.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x36cb:$a: NanoCore 0x372c:$a: NanoCore 0x376f:$a: NanoCore 0x37af:$a: NanoCore 0x39eb:$a: NanoCore 0x3a8b:$a: NanoCore 0x4263:$a: NanoCore 0x4856:$a: NanoCore 0x49a7:$a: NanoCore 0x5801:$a: NanoCore 0x5a68:$a: NanoCore 0x5a7d:$a: NanoCore 0x5a9c:$a: NanoCore 0xe99f:$a: NanoCore 0xe9c8:$a: NanoCore 0x1a741:$a: NanoCore 0x1a76a:$a: NanoCore 0x3f62d:$a: NanoCore 0x3f645:$a: NanoCore 0x3f66e:$a: NanoCore 0x4ea71:$a: NanoCore
1.2.wzkp8c4Z3F.exe.4609b1f.17.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x39eb:$a1: NanoCore.ClientPluginHost 0xe9c8:$a1: NanoCore.ClientPluginHost 0x1a76a:$a1: NanoCore.ClientPluginHost 0x3f66e:$a1: NanoCore.ClientPluginHost 0x4eaae:$a1: NanoCore.ClientPluginHost 0x3a8b:$a2: NanoCore.ClientPlugin 0xe99f:$a2: NanoCore.ClientPlugin 0x1a741:$a2: NanoCore.ClientPlugin 0x3f645:$a2: NanoCore.ClientPlugin 0x4ea89:$a2: NanoCore.ClientPlugin 0x4ea9f:$b4: IClientAppHost 0x47e1:$b7: LogClientException 0x1cab3:$b7: LogClientException 0x44699:$b7: LogClientException 0x52f8e:$b7: LogClientException 0x3a05:$b9: IClientLoggingHost 0xe9b5:$b9: IClientLoggingHost 0x1a757:$b9: IClientLoggingHost 0x3f65b:$b9: IClientLoggingHost 0x4ead8:$b9: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.443ef21.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x14dd9:$x1: NanoCore.ClientPluginHost 0x21f44:$x1: NanoCore.ClientPluginHost 0x2bd98:$x1: NanoCore.ClientPluginHost 0x33cc0:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x14e06:$x2: IClientNetworkHost 0x21f7d:$x2: IClientNetworkHost 0x2bdd1:$x2: IClientNetworkHost 0x33cf9:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.443ef21.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x14dd9:$x2: NanoCore.ClientPluginHost 0x21f44:$x2: NanoCore.ClientPluginHost 0x2bd98:$x2: NanoCore.ClientPluginHost 0x33cc0:$x2: NanoCore.ClientPluginHost 0x15da8:$s2: FileCommand 0x6a6b:$s4: PipeCreated 0x1a7aa:$s4: PipeCreated 0x22061:$s4: PipeCreated 0x2be9c:$s4: PipeCreated 0x33ddb:$s4: PipeCreated 0x14df3:$s5: IClientLoggingHost 0x21f5e:$s5: IClientLoggingHost 0x2bdb2:$s5: IClientLoggingHost 0x33cda:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.443ef21.9.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x14db3:$x2: NanoCore.ClientPlugin 0x21fc0:$x2: NanoCore.ClientPlugin 0x2be14:$x2: NanoCore.ClientPlugin 0x33d3a:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x14dd9:$x3: NanoCore.ClientPluginHost 0x21f44:$x3: NanoCore.ClientPluginHost 0x2bd98:$x3: NanoCore.ClientPluginHost 0x33cc0:$x3: NanoCore.ClientPluginHost 0x4b87:$i3: IClientNetwork 0x14da4:$i3: IClientNetwork 0x21fd6:$i3: IClientNetwork 0x2be2a:$i3: IClientNetwork 0x33d50:$i3: IClientNetwork 0x4bac:$i4: IClientAppHost 0x4bd5:$i5: IClientDataHost 0x14dc9:$i5: IClientDataHost 0x14df3:$i6: IClientLoggingHost 0x21f5e:$i6: IClientLoggingHost 0x2bdb2:$i6: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.443ef21.9.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x14dd9:$a1: NanoCore.ClientPluginHost 0x21f44:$a1: NanoCore.ClientPluginHost 0x2bd98:$a1: NanoCore.ClientPluginHost 0x33cc0:$a1: NanoCore.ClientPluginHost 0x4b96:$a2: NanoCore.ClientPlugin 0x14db3:$a2: NanoCore.ClientPlugin 0x21fc0:$a2: NanoCore.ClientPlugin 0x2be14:$a2: NanoCore.ClientPlugin 0x33d3a:$a2: NanoCore.ClientPlugin 0x8558:$b1: get_BuilderSettings 0x4bac:$b4: IClientAppHost 0x2c99d:$b7: LogClientException 0x3445b:$b7: LogClientException 0x14df3:$b9: IClientLoggingHost 0x21f5e:$b9: IClientLoggingHost 0x2bdb2:$b9: IClientLoggingHost 0x33cda:$b9: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.77b4c9f.33.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.77b4c9f.33.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a53c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.77b4c9f.33.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1a513:$x2: NanoCore.ClientPlugin 0x1a53c:$x3: NanoCore.ClientPluginHost 0x1a504:$i3: IClientNetwork 0x1a529:$i6: IClientLoggingHost 0x1a556:$i7: IClientNetworkHost 0x1a569:$i8: IClientUIHost 0x1a273:$s1: ClientPlugin 0x1a51c:$s1: ClientPlugin
1.2.wzkp8c4Z3F.exe.77b4c9f.33.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1a53c:$a1: NanoCore.ClientPluginHost 0x1a513:$a2: NanoCore.ClientPlugin 0x1f567:$b7: LogClientException 0x1a529:$b9: IClientLoggingHost
0.2.wzkp8c4Z3F.exe.47245e0.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.wzkp8c4Z3F.exe.47245e0.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.wzkp8c4Z3F.exe.47245e0.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.wzkp8c4Z3F.exe.47245e0.10.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.wzkp8c4Z3F.exe.47245e0.10.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.wzkp8c4Z3F.exe.47245e0.10.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.5c70000.23.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.5c70000.23.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
1.2.wzkp8c4Z3F.exe.4620d7e.16.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x2840f:$x1: NanoCore.ClientPluginHost 0x3784f:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost 0x28429:$x2: IClientNetworkHost 0x3788c:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.4620d7e.16.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x2840f:$x2: NanoCore.ClientPluginHost 0x3784f:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x2b74c:$s4: PipeCreated 0x3aca2:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost 0x283fc:$s5: IClientLoggingHost 0x37879:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.5c70000.23.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2d96:$x2: NanoCore.ClientPlugin 0x2dbb:$x3: NanoCore.ClientPluginHost 0x2d87:$i3: IClientNetwork 0x2dac:$i4: IClientAppHost 0x2dd5:$i5: IClientDataHost 0x2de5:$i7: IClientNetworkHost 0x2df8:$i9: IClientNameObjectCollection 0x2e1d:$i10: IClientReadOnlyNameObjectCollection 0x2bce:$s1: ClientPlugin 0x2d9f:$s1: ClientPlugin
1.2.wzkp8c4Z3F.exe.4620d7e.16.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x34e2:$x2: NanoCore.ClientPlugin 0x283e6:$x2: NanoCore.ClientPlugin 0x3782a:$x2: NanoCore.ClientPlugin 0x350b:$x3: NanoCore.ClientPluginHost 0x2840f:$x3: NanoCore.ClientPluginHost 0x3784f:$x3: NanoCore.ClientPluginHost 0x34d3:$i3: IClientNetwork 0x283d7:$i3: IClientNetwork 0x3781b:$i3: IClientNetwork 0x37840:$i4: IClientAppHost 0x37869:$i5: IClientDataHost 0x34f8:$i6: IClientLoggingHost 0x283fc:$i6: IClientLoggingHost 0x37879:$i6: IClientLoggingHost 0x3525:$i7: IClientNetworkHost 0x28429:$i7: IClientNetworkHost 0x3788c:$i7: IClientNetworkHost 0x2843c:$i8: IClientUIHost 0x3789f:$i8: IClientUIHost 0x378ad:$i9: IClientNameObjectCollection 0x334e:$s1: ClientPlugin
1.2.wzkp8c4Z3F.exe.4620d7e.16.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x350b:$a1: NanoCore.ClientPluginHost 0x2840f:$a1: NanoCore.ClientPluginHost 0x3784f:$a1: NanoCore.ClientPluginHost 0x34e2:$a2: NanoCore.ClientPlugin 0x283e6:$a2: NanoCore.ClientPlugin 0x3782a:$a2: NanoCore.ClientPlugin 0x37840:$b4: IClientAppHost 0x5854:$b7: LogClientException 0x2d43a:$b7: LogClientException 0x3bd2f:$b7: LogClientException 0x34f8:$b9: IClientLoggingHost 0x283fc:$b9: IClientLoggingHost 0x37879:$b9: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.5c70000.23.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2dbb:$a1: NanoCore.ClientPluginHost 0x2d96:$a2: NanoCore.ClientPlugin 0x6758:$b1: get_BuilderSettings 0x2dac:$b4: IClientAppHost
1.2.wzkp8c4Z3F.exe.4523845.14.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x605:$x1: NanoCore.ClientPluginHost 0x3bd6:$x1: NanoCore.ClientPluginHost 0x63e:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.4523845.14.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x605:$x2: NanoCore.ClientPluginHost 0x3bd6:$x2: NanoCore.ClientPluginHost 0x720:$s4: PipeCreated 0x3cb4:$s4: PipeCreated 0x61f:$s5: IClientLoggingHost 0x3bf0:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.4523845.14.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x67f:$x2: NanoCore.ClientPlugin 0x3c20:$x2: NanoCore.ClientPlugin 0x605:$x3: NanoCore.ClientPluginHost 0x3bd6:$x3: NanoCore.ClientPluginHost 0x695:$i3: IClientNetwork 0x3c36:$i3: IClientNetwork 0x61f:$i6: IClientLoggingHost 0x3bf0:$i6: IClientLoggingHost 0x63e:$i7: IClientNetworkHost 0x688:$s1: ClientPlugin 0x3c29:$s1: ClientPlugin
1.2.wzkp8c4Z3F.exe.4523845.14.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x605:$a1: NanoCore.ClientPluginHost 0x3bd6:$a1: NanoCore.ClientPluginHost 0x67f:$a2: NanoCore.ClientPlugin 0x3c20:$a2: NanoCore.ClientPlugin 0xda0:$b7: LogClientException 0x61f:$b9: IClientLoggingHost 0x3bf0:$b9: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.4609b1f.17.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.4609b1f.17.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.4609b1f.17.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1e8b:$x2: NanoCore.ClientPlugin 0x1deb:$x3: NanoCore.ClientPluginHost 0x1ea1:$i3: IClientNetwork 0x1e43:$i5: IClientDataHost 0x1e05:$i6: IClientLoggingHost 0x1e24:$i7: IClientNetworkHost 0x266c:$i9: IClientNameObjectCollection 0x1b41:$s1: ClientPlugin 0x1e94:$s1: ClientPlugin 0x2a80:$s2: EndPoint 0x2771:$s3: IPAddress 0x2083:$s4: IPEndPoint 0x27a3:$s7: get_Connected
1.2.wzkp8c4Z3F.exe.4609b1f.17.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1deb:$a1: NanoCore.ClientPluginHost 0x1e8b:$a2: NanoCore.ClientPlugin 0x2be1:$b7: LogClientException 0x1e05:$b9: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.7a70000.36.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x41ee:$x1: NanoCore.ClientPluginHost 0x422b:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.7a70000.36.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x41ee:$x2: NanoCore.ClientPluginHost 0x7641:$s4: PipeCreated 0x4218:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.7a70000.36.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x41c9:$x2: NanoCore.ClientPlugin 0x41ee:$x3: NanoCore.ClientPluginHost 0x41ba:$i3: IClientNetwork 0x41df:$i4: IClientAppHost 0x4208:$i5: IClientDataHost 0x4218:$i6: IClientLoggingHost 0x422b:$i7: IClientNetworkHost 0x423e:$i8: IClientUIHost 0x424c:$i9: IClientNameObjectCollection 0x3f70:$s1: ClientPlugin 0x41d2:$s1: ClientPlugin
1.2.wzkp8c4Z3F.exe.7a70000.36.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x41ee:$a1: NanoCore.ClientPluginHost 0x41c9:$a2: NanoCore.ClientPlugin 0x41df:$b4: IClientAppHost 0x86ce:$b7: LogClientException 0x4218:$b9: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.444b155.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d10:$x1: NanoCore.ClientPluginHost 0x1fb64:$x1: NanoCore.ClientPluginHost 0x27a8c:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d49:$x2: IClientNetworkHost 0x1fb9d:$x2: IClientNetworkHost 0x27ac5:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.444b155.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x15d10:$x2: NanoCore.ClientPluginHost 0x1fb64:$x2: NanoCore.ClientPluginHost 0x27a8c:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x15e2d:$s4: PipeCreated 0x1fc68:$s4: PipeCreated 0x27ba7:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost 0x15d2a:$s5: IClientLoggingHost 0x1fb7e:$s5: IClientLoggingHost 0x27aa6:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.444b155.8.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x15d8c:$x2: NanoCore.ClientPlugin 0x1fbe0:$x2: NanoCore.ClientPlugin 0x27b06:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x15d10:$x3: NanoCore.ClientPluginHost 0x1fb64:$x3: NanoCore.ClientPluginHost 0x27a8c:$x3: NanoCore.ClientPluginHost 0x8b70:$i3: IClientNetwork 0x15da2:$i3: IClientNetwork 0x1fbf6:$i3: IClientNetwork 0x27b1c:$i3: IClientNetwork 0x8b95:$i5: IClientDataHost 0x8bbf:$i6: IClientLoggingHost 0x15d2a:$i6: IClientLoggingHost 0x1fb7e:$i6: IClientLoggingHost 0x27aa6:$i6: IClientLoggingHost 0x8bd2:$i7: IClientNetworkHost 0x15d49:$i7: IClientNetworkHost 0x1fb9d:$i7: IClientNetworkHost 0x27ac5:$i7: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.444b155.8.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x15d10:$a1: NanoCore.ClientPluginHost 0x1fb64:$a1: NanoCore.ClientPluginHost 0x27a8c:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x15d8c:$a2: NanoCore.ClientPlugin 0x1fbe0:$a2: NanoCore.ClientPlugin 0x27b06:$a2: NanoCore.ClientPlugin 0x20769:$b7: LogClientException 0x28227:$b7: LogClientException 0x8bbf:$b9: IClientLoggingHost 0x15d2a:$b9: IClientLoggingHost 0x1fb7e:$b9: IClientLoggingHost 0x27aa6:$b9: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.461294e.18.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x1193b:$x1: NanoCore.ClientPluginHost 0x3683f:$x1: NanoCore.ClientPluginHost 0x45c7f:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost 0x11955:$x2: IClientNetworkHost 0x36859:$x2: IClientNetworkHost 0x45cbc:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.461294e.18.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x1193b:$x2: NanoCore.ClientPluginHost 0x3683f:$x2: NanoCore.ClientPluginHost 0x45c7f:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x136e6:$s4: PipeCreated 0x39b7c:$s4: PipeCreated 0x490d2:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost 0x11928:$s5: IClientLoggingHost 0x3682c:$s5: IClientLoggingHost 0x45ca9:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.461294e.18.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b70:$x2: NanoCore.ClientPlugin 0x11912:$x2: NanoCore.ClientPlugin 0x36816:$x2: NanoCore.ClientPlugin 0x45c5a:$x2: NanoCore.ClientPlugin 0x5b99:$x3: NanoCore.ClientPluginHost 0x1193b:$x3: NanoCore.ClientPluginHost 0x3683f:$x3: NanoCore.ClientPluginHost 0x45c7f:$x3: NanoCore.ClientPluginHost 0x5b61:$i3: IClientNetwork 0x11903:$i3: IClientNetwork 0x36807:$i3: IClientNetwork 0x45c4b:$i3: IClientNetwork 0x45c70:$i4: IClientAppHost 0x45c99:$i5: IClientDataHost 0x5b86:$i6: IClientLoggingHost 0x11928:$i6: IClientLoggingHost 0x3682c:$i6: IClientLoggingHost 0x45ca9:$i6: IClientLoggingHost 0x5bb3:$i7: IClientNetworkHost 0x11955:$i7: IClientNetworkHost 0x36859:$i7: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.461294e.18.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b99:$a1: NanoCore.ClientPluginHost 0x1193b:$a1: NanoCore.ClientPluginHost 0x3683f:$a1: NanoCore.ClientPluginHost 0x45c7f:$a1: NanoCore.ClientPluginHost 0x5b70:$a2: NanoCore.ClientPlugin 0x11912:$a2: NanoCore.ClientPlugin 0x36816:$a2: NanoCore.ClientPlugin 0x45c5a:$a2: NanoCore.ClientPlugin 0x45c70:$b4: IClientAppHost 0x13c84:$b7: LogClientException 0x3b86a:$b7: LogClientException 0x4a15f:$b7: LogClientException 0x5b86:$b9: IClientLoggingHost 0x11928:$b9: IClientLoggingHost 0x3682c:$b9: IClientLoggingHost 0x45ca9:$b9: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.77a0000.32.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.77a0000.32.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.77a0000.32.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x34e2:$x2: NanoCore.ClientPlugin 0x350b:$x3: NanoCore.ClientPluginHost 0x34d3:$i3: IClientNetwork 0x34f8:$i6: IClientLoggingHost 0x3525:$i7: IClientNetworkHost 0x334e:$s1: ClientPlugin 0x34eb:$s1: ClientPlugin
1.2.wzkp8c4Z3F.exe.77a0000.32.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x350b:$a1: NanoCore.ClientPluginHost 0x34e2:$a2: NanoCore.ClientPlugin 0x5854:$b7: LogClientException 0x34f8:$b9: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.7610000.28.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
1.2.wzkp8c4Z3F.exe.7610000.28.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.7610000.28.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x13f2:$x2: NanoCore.ClientPlugin 0x13a8:$x3: NanoCore.ClientPluginHost 0x1408:$i3: IClientNetwork 0x13c2:$i6: IClientLoggingHost 0x1185:$s1: ClientPlugin 0x13fb:$s1: ClientPlugin
1.2.wzkp8c4Z3F.exe.7610000.28.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x13a8:$a1: NanoCore.ClientPluginHost 0x13f2:$a2: NanoCore.ClientPlugin 0x13c2:$b9: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.5a10000.20.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.5a10000.20.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.5a10000.20.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.wzkp8c4Z3F.exe.5a10000.20.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
1.2.wzkp8c4Z3F.exe.5a10000.20.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.4620d7e.16.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.4620d7e.16.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.4620d7e.16.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x16e2:$x2: NanoCore.ClientPlugin 0x170b:$x3: NanoCore.ClientPluginHost 0x16d3:$i3: IClientNetwork 0x16f8:$i6: IClientLoggingHost 0x1725:$i7: IClientNetworkHost 0x154e:$s1: ClientPlugin 0x16eb:$s1: ClientPlugin
1.2.wzkp8c4Z3F.exe.4620d7e.16.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x170b:$a1: NanoCore.ClientPluginHost 0x16e2:$a2: NanoCore.ClientPlugin 0x3a54:$b7: LogClientException 0x16f8:$b9: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.5c80000.24.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.5c80000.24.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.5c80000.24.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x8b70:$i3: IClientNetwork 0x8b95:$i5: IClientDataHost 0x8bbf:$i6: IClientLoggingHost 0x8bd2:$i7: IClientNetworkHost 0x8be5:$i9: IClientNameObjectCollection 0x8902:$s1: ClientPlugin 0x8b88:$s1: ClientPlugin
1.2.wzkp8c4Z3F.exe.5c80000.24.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x8bbf:$b9: IClientLoggingHost
11.2.wzkp8c4Z3F.exe.3e90614.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
11.2.wzkp8c4Z3F.exe.3e90614.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
11.2.wzkp8c4Z3F.exe.3e90614.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.wzkp8c4Z3F.exe.3e90614.3.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
11.2.wzkp8c4Z3F.exe.3e90614.3.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.4489064.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.4489064.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.4489064.10.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1e8b:$x2: NanoCore.ClientPlugin 0x1deb:$x3: NanoCore.ClientPluginHost 0x1ea1:$i3: IClientNetwork 0x1e43:$i5: IClientDataHost 0x1e05:$i6: IClientLoggingHost 0x1e24:$i7: IClientNetworkHost 0x266c:$i9: IClientNameObjectCollection 0x1b41:$s1: ClientPlugin 0x1e94:$s1: ClientPlugin 0x2a80:$s2: EndPoint 0x2771:$s3: IPAddress 0x2083:$s4: IPEndPoint 0x27a3:$s7: get_Connected
1.2.wzkp8c4Z3F.exe.4489064.10.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1deb:$a1: NanoCore.ClientPluginHost 0x1e8b:$a2: NanoCore.ClientPlugin 0x2be1:$b7: LogClientException 0x1e05:$b9: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.5c70000.23.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.5c70000.23.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
1.2.wzkp8c4Z3F.exe.5c70000.23.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x4b87:$i3: IClientNetwork 0x4bac:$i4: IClientAppHost 0x4bd5:$i5: IClientDataHost 0x4be5:$i7: IClientNetworkHost 0x4bf8:$i9: IClientNameObjectCollection 0x4c1d:$i10: IClientReadOnlyNameObjectCollection 0x49ce:$s1: ClientPlugin 0x4b9f:$s1: ClientPlugin
1.2.wzkp8c4Z3F.exe.5c70000.23.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x4b96:$a2: NanoCore.ClientPlugin 0x8558:$b1: get_BuilderSettings 0x4bac:$b4: IClientAppHost
1.2.wzkp8c4Z3F.exe.75e0000.26.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.75e0000.26.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.75e0000.26.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b87:$x2: NanoCore.ClientPlugin 0x5b0b:$x3: NanoCore.ClientPluginHost 0x5b9d:$i3: IClientNetwork 0x5b25:$i6: IClientLoggingHost 0x5b44:$i7: IClientNetworkHost 0x57fb:$s1: ClientPlugin 0x5b90:$s1: ClientPlugin 0x6cf4:$s3: IPAddress
1.2.wzkp8c4Z3F.exe.75e0000.26.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b0b:$a1: NanoCore.ClientPluginHost 0x5b87:$a2: NanoCore.ClientPlugin 0x6710:$b7: LogClientException 0x5b25:$b9: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.77be8a4.35.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.77be8a4.35.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x10937:$x2: NanoCore.ClientPluginHost 0x13c74:$s4: PipeCreated 0x10924:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.77be8a4.35.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1090e:$x2: NanoCore.ClientPlugin 0x10937:$x3: NanoCore.ClientPluginHost 0x108ff:$i3: IClientNetwork 0x10924:$i6: IClientLoggingHost 0x10951:$i7: IClientNetworkHost 0x10964:$i8: IClientUIHost 0x1066e:$s1: ClientPlugin 0x10917:$s1: ClientPlugin
1.2.wzkp8c4Z3F.exe.77be8a4.35.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x10937:$a1: NanoCore.ClientPluginHost 0x1090e:$a2: NanoCore.ClientPlugin 0x15962:$b7: LogClientException 0x10924:$b9: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.5c80000.24.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.5c80000.24.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.5c80000.24.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x6d7f:$x2: NanoCore.ClientPlugin 0x6da5:$x3: NanoCore.ClientPluginHost 0x6d70:$i3: IClientNetwork 0x6d95:$i5: IClientDataHost 0x6dbf:$i6: IClientLoggingHost 0x6dd2:$i7: IClientNetworkHost 0x6de5:$i9: IClientNameObjectCollection 0x6b02:$s1: ClientPlugin 0x6d88:$s1: ClientPlugin
1.2.wzkp8c4Z3F.exe.5c80000.24.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6da5:$a1: NanoCore.ClientPluginHost 0x6d7f:$a2: NanoCore.ClientPlugin 0x6dbf:$b9: IClientLoggingHost
0.2.wzkp8c4Z3F.exe.46efbc0.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x44bad:$x1: NanoCore.ClientPluginHost 0x777cd:$x1: NanoCore.ClientPluginHost 0xaa1ed:$x1: NanoCore.ClientPluginHost 0x44bea:$x2: IClientNetworkHost 0x7780a:$x2: IClientNetworkHost 0xaa22a:$x2: IClientNetworkHost 0x4871d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7b33d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xadd5d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.wzkp8c4Z3F.exe.46efbc0.11.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.wzkp8c4Z3F.exe.46efbc0.11.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x44915:$x1: NanoCore Client 0x44925:$x1: NanoCore Client 0x77535:$x1: NanoCore Client 0x77545:$x1: NanoCore Client 0xa9f55:$x1: NanoCore Client 0xa9f65:$x1: NanoCore Client 0x44b6d:$x2: NanoCore.ClientPlugin 0x7778d:$x2: NanoCore.ClientPlugin 0xaa1ad:$x2: NanoCore.ClientPlugin 0x44bad:$x3: NanoCore.ClientPluginHost 0x777cd:$x3: NanoCore.ClientPluginHost 0xaa1ed:$x3: NanoCore.ClientPluginHost 0x44b62:$i1: IClientApp 0x77782:$i1: IClientApp 0xaa1a2:$i1: IClientApp 0x44b83:$i2: IClientData 0x777a3:$i2: IClientData 0xaa1c3:$i2: IClientData 0x44b8f:$i3: IClientNetwork 0x777af:$i3: IClientNetwork 0xaa1cf:$i3: IClientNetwork
0.2.wzkp8c4Z3F.exe.46efbc0.11.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x44915:$a: NanoCore 0x44925:$a: NanoCore 0x44b59:$a: NanoCore 0x44b6d:$a: NanoCore 0x44bad:$a: NanoCore 0x77535:$a: NanoCore 0x77545:$a: NanoCore 0x77779:$a: NanoCore 0x7778d:$a: NanoCore 0x777cd:$a: NanoCore 0xa9f55:$a: NanoCore 0xa9f65:$a: NanoCore 0xaa199:$a: NanoCore 0xaa1ad:$a: NanoCore 0xaa1ed:$a: NanoCore 0x44974:$b: ClientPlugin 0x44b76:$b: ClientPlugin 0x44bb6:$b: ClientPlugin 0x77594:$b: ClientPlugin 0x77796:$b: ClientPlugin 0x777d6:$b: ClientPlugin
0.2.wzkp8c4Z3F.exe.46efbc0.11.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x44bad:$a1: NanoCore.ClientPluginHost 0x777cd:$a1: NanoCore.ClientPluginHost 0xaa1ed:$a1: NanoCore.ClientPluginHost 0x44b6d:$a2: NanoCore.ClientPlugin 0x7778d:$a2: NanoCore.ClientPlugin 0xaa1ad:$a2: NanoCore.ClientPlugin 0x46ac6:$b1: get_BuilderSettings 0x796e6:$b1: get_BuilderSettings 0xac106:$b1: get_BuilderSettings 0x449c9:$b2: ClientLoaderForm.resources 0x775e9:$b2: ClientLoaderForm.resources 0xaa009:$b2: ClientLoaderForm.resources 0x461e6:$b3: PluginCommand 0x78e06:$b3: PluginCommand 0xab826:$b3: PluginCommand 0x44b9e:$b4: IClientAppHost 0x777be:$b4: IClientAppHost 0xaa1de:$b4: IClientAppHost 0x4f01e:$b5: GetBlockHash 0x81c3e:$b5: GetBlockHash 0xb465e:$b5: GetBlockHash
1.2.wzkp8c4Z3F.exe.75e0000.26.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3f0b:$x1: NanoCore.ClientPluginHost 0x3f44:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.75e0000.26.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3f0b:$x2: NanoCore.ClientPluginHost 0x400f:$s4: PipeCreated 0x3f25:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.75e0000.26.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3f87:$x2: NanoCore.ClientPlugin 0x3f0b:$x3: NanoCore.ClientPluginHost 0x3f9d:$i3: IClientNetwork 0x3f25:$i6: IClientLoggingHost 0x3f44:$i7: IClientNetworkHost 0x3bfb:$s1: ClientPlugin 0x3f90:$s1: ClientPlugin 0x50f4:$s3: IPAddress
1.2.wzkp8c4Z3F.exe.75e0000.26.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3f0b:$a1: NanoCore.ClientPluginHost 0x3f87:$a2: NanoCore.ClientPlugin 0x4b10:$b7: LogClientException 0x3f25:$b9: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.7600000.27.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x605:$x1: NanoCore.ClientPluginHost 0x63e:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.7600000.27.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x605:$x2: NanoCore.ClientPluginHost 0x720:$s4: PipeCreated 0x61f:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.7600000.27.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x67f:$x2: NanoCore.ClientPlugin 0x605:$x3: NanoCore.ClientPluginHost 0x695:$i3: IClientNetwork 0x61f:$i6: IClientLoggingHost 0x63e:$i7: IClientNetworkHost 0x688:$s1: ClientPlugin
1.2.wzkp8c4Z3F.exe.7600000.27.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x605:$a1: NanoCore.ClientPluginHost 0x67f:$a2: NanoCore.ClientPlugin 0xda0:$b7: LogClientException 0x61f:$b9: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.77a0000.32.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.77a0000.32.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.77a0000.32.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x16e2:$x2: NanoCore.ClientPlugin 0x170b:$x3: NanoCore.ClientPluginHost 0x16d3:$i3: IClientNetwork 0x16f8:$i6: IClientLoggingHost 0x1725:$i7: IClientNetworkHost 0x154e:$s1: ClientPlugin 0x16eb:$s1: ClientPlugin
1.2.wzkp8c4Z3F.exe.77a0000.32.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x170b:$a1: NanoCore.ClientPluginHost 0x16e2:$a2: NanoCore.ClientPlugin 0x3a54:$b7: LogClientException 0x16f8:$b9: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.77b0000.34.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.77b0000.34.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.77b0000.34.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1d3b2:$x2: NanoCore.ClientPlugin 0x1d3db:$x3: NanoCore.ClientPluginHost 0x1d3a3:$i3: IClientNetwork 0x1d3c8:$i6: IClientLoggingHost 0x1d3f5:$i7: IClientNetworkHost 0x1d408:$i8: IClientUIHost 0x1d112:$s1: ClientPlugin 0x1d3bb:$s1: ClientPlugin
1.2.wzkp8c4Z3F.exe.77b0000.34.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1d3db:$a1: NanoCore.ClientPluginHost 0x1d3b2:$a2: NanoCore.ClientPlugin 0x22406:$b7: LogClientException 0x1d3c8:$b9: IClientLoggingHost
1.0.wzkp8c4Z3F.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.0.wzkp8c4Z3F.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
1.0.wzkp8c4Z3F.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.0.wzkp8c4Z3F.exe.400000.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
1.0.wzkp8c4Z3F.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
1.0.wzkp8c4Z3F.exe.400000.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.3336334.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.3336334.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
1.2.wzkp8c4Z3F.exe.3336334.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2d96:$x2: NanoCore.ClientPlugin 0x2dbb:$x3: NanoCore.ClientPluginHost 0x2d87:$i3: IClientNetwork 0x2dac:$i4: IClientAppHost 0x2dd5:$i5: IClientDataHost 0x2de5:$i7: IClientNetworkHost 0x2df8:$i9: IClientNameObjectCollection 0x2e1d:$i10: IClientReadOnlyNameObjectCollection 0x2bce:$s1: ClientPlugin 0x2d9f:$s1: ClientPlugin
1.2.wzkp8c4Z3F.exe.3336334.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2dbb:$a1: NanoCore.ClientPluginHost 0x2d96:$a2: NanoCore.ClientPlugin 0x6758:$b1: get_BuilderSettings 0x2dac:$b4: IClientAppHost
1.2.wzkp8c4Z3F.exe.7600000.27.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.7600000.27.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.7600000.27.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x227f:$x2: NanoCore.ClientPlugin 0x2205:$x3: NanoCore.ClientPluginHost 0x2295:$i3: IClientNetwork 0x221f:$i6: IClientLoggingHost 0x223e:$i7: IClientNetworkHost 0x1f9f:$s1: ClientPlugin 0x2288:$s1: ClientPlugin
1.2.wzkp8c4Z3F.exe.7600000.27.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2205:$a1: NanoCore.ClientPluginHost 0x227f:$a2: NanoCore.ClientPlugin 0x29a0:$b7: LogClientException 0x221f:$b9: IClientLoggingHost
11.2.wzkp8c4Z3F.exe.3e90614.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28799:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287c6:$x2: IClientNetworkHost
11.2.wzkp8c4Z3F.exe.3e90614.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28799:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29874:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287b3:$s5: IClientLoggingHost
11.2.wzkp8c4Z3F.exe.3e90614.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.wzkp8c4Z3F.exe.3e90614.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0x28764:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0x28799:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0x28758:$i2: IClientData 0xf78e:$i3: IClientNetwork 0x2877a:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0x28789:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0x287b3:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0x287c6:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0x287d9:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0x287e7:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0x28803:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin
11.2.wzkp8c4Z3F.exe.3e90614.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0x28799:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x28764:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x2d6df:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0x2d64e:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost 0x287b3:$b9: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.4523845.14.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x81d6:$x1: NanoCore.ClientPluginHost 0x11c42:$x1: NanoCore.ClientPluginHost 0x1c06d:$x1: NanoCore.ClientPluginHost 0x2704a:$x1: NanoCore.ClientPluginHost 0x32dec:$x1: NanoCore.ClientPluginHost 0x57cf0:$x1: NanoCore.ClientPluginHost 0x67130:$x1: NanoCore.ClientPluginHost 0x74385:$x1: NanoCore.ClientPluginHost 0x7f362:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost 0x11d9f:$x2: IClientNetworkHost 0x1c0a6:$x2: IClientNetworkHost 0x27064:$x2: IClientNetworkHost 0x32e06:$x2: IClientNetworkHost 0x57d0a:$x2: IClientNetworkHost 0x6716d:$x2: IClientNetworkHost 0x743be:$x2: IClientNetworkHost 0x7f37c:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.4523845.14.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x81d6:$x2: NanoCore.ClientPluginHost 0x11c42:$x2: NanoCore.ClientPluginHost 0x1c06d:$x2: NanoCore.ClientPluginHost 0x2704a:$x2: NanoCore.ClientPluginHost 0x32dec:$x2: NanoCore.ClientPluginHost 0x57cf0:$x2: NanoCore.ClientPluginHost 0x67130:$x2: NanoCore.ClientPluginHost 0x74385:$x2: NanoCore.ClientPluginHost 0x7f362:$x2: NanoCore.ClientPluginHost 0x12b98:$s3: PipeExists 0x2320:$s4: PipeCreated 0x82b4:$s4: PipeCreated 0x11e38:$s4: PipeCreated 0x1c1b8:$s4: PipeCreated 0x2807f:$s4: PipeCreated 0x34b97:$s4: PipeCreated 0x5b02d:$s4: PipeCreated 0x6a583:$s4: PipeCreated 0x744d0:$s4: PipeCreated 0x80397:$s4: PipeCreated
1.2.wzkp8c4Z3F.exe.4523845.14.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x227f:$x2: NanoCore.ClientPlugin 0x8220:$x2: NanoCore.ClientPlugin 0x11d2c:$x2: NanoCore.ClientPlugin 0x1c10d:$x2: NanoCore.ClientPlugin 0x27021:$x2: NanoCore.ClientPlugin 0x32dc3:$x2: NanoCore.ClientPlugin 0x57cc7:$x2: NanoCore.ClientPlugin 0x6710b:$x2: NanoCore.ClientPlugin 0x74425:$x2: NanoCore.ClientPlugin 0x7f339:$x2: NanoCore.ClientPlugin 0x2205:$x3: NanoCore.ClientPluginHost 0x81d6:$x3: NanoCore.ClientPluginHost 0x11c42:$x3: NanoCore.ClientPluginHost 0x1c06d:$x3: NanoCore.ClientPluginHost 0x2704a:$x3: NanoCore.ClientPluginHost 0x32dec:$x3: NanoCore.ClientPluginHost 0x57cf0:$x3: NanoCore.ClientPluginHost 0x67130:$x3: NanoCore.ClientPluginHost 0x74385:$x3: NanoCore.ClientPluginHost 0x7f362:$x3: NanoCore.ClientPluginHost 0x2295:$i3: IClientNetwork
1.2.wzkp8c4Z3F.exe.4523845.14.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2205:$a: NanoCore 0x227f:$a: NanoCore 0x6e1c:$a: NanoCore 0x81d6:$a: NanoCore 0x8220:$a: NanoCore 0x8e7a:$a: NanoCore 0x11c42:$a: NanoCore 0x11d2c:$a: NanoCore 0x12ba3:$a: NanoCore 0x1bd4d:$a: NanoCore 0x1bdae:$a: NanoCore 0x1bdf1:$a: NanoCore 0x1be31:$a: NanoCore 0x1c06d:$a: NanoCore 0x1c10d:$a: NanoCore 0x1c8e5:$a: NanoCore 0x1ced8:$a: NanoCore 0x1d029:$a: NanoCore 0x1de83:$a: NanoCore 0x1e0ea:$a: NanoCore 0x1e0ff:$a: NanoCore
1.2.wzkp8c4Z3F.exe.4523845.14.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2205:$a1: NanoCore.ClientPluginHost 0x81d6:$a1: NanoCore.ClientPluginHost 0x11c42:$a1: NanoCore.ClientPluginHost 0x1c06d:$a1: NanoCore.ClientPluginHost 0x2704a:$a1: NanoCore.ClientPluginHost 0x32dec:$a1: NanoCore.ClientPluginHost 0x57cf0:$a1: NanoCore.ClientPluginHost 0x67130:$a1: NanoCore.ClientPluginHost 0x74385:$a1: NanoCore.ClientPluginHost 0x7f362:$a1: NanoCore.ClientPluginHost 0x227f:$a2: NanoCore.ClientPlugin 0x8220:$a2: NanoCore.ClientPlugin 0x11d2c:$a2: NanoCore.ClientPlugin 0x1c10d:$a2: NanoCore.ClientPlugin 0x27021:$a2: NanoCore.ClientPlugin 0x32dc3:$a2: NanoCore.ClientPlugin 0x57cc7:$a2: NanoCore.ClientPlugin 0x6710b:$a2: NanoCore.ClientPlugin 0x74425:$a2: NanoCore.ClientPlugin 0x7f339:$a2: NanoCore.ClientPlugin 0x67121:$b4: IClientAppHost
1.2.wzkp8c4Z3F.exe.444b155.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.444b155.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.444b155.8.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x6d7f:$x2: NanoCore.ClientPlugin 0x6da5:$x3: NanoCore.ClientPluginHost 0x6d70:$i3: IClientNetwork 0x6d95:$i5: IClientDataHost 0x6dbf:$i6: IClientLoggingHost 0x6dd2:$i7: IClientNetworkHost 0x6de5:$i9: IClientNameObjectCollection 0x6b02:$s1: ClientPlugin 0x6d88:$s1: ClientPlugin
1.2.wzkp8c4Z3F.exe.444b155.8.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6da5:$a1: NanoCore.ClientPluginHost 0x6d7f:$a2: NanoCore.ClientPlugin 0x6dbf:$b9: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.42d81d4.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.42d81d4.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x10937:$x2: NanoCore.ClientPluginHost 0x13c74:$s4: PipeCreated 0x10924:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.42d81d4.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1090e:$x2: NanoCore.ClientPlugin 0x10937:$x3: NanoCore.ClientPluginHost 0x108ff:$i3: IClientNetwork 0x10924:$i6: IClientLoggingHost 0x10951:$i7: IClientNetworkHost 0x10964:$i8: IClientUIHost 0x1066e:$s1: ClientPlugin 0x10917:$s1: ClientPlugin
1.2.wzkp8c4Z3F.exe.42d81d4.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x10937:$a1: NanoCore.ClientPluginHost 0x1090e:$a2: NanoCore.ClientPlugin 0x15962:$b7: LogClientException 0x10924:$b9: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.7630000.30.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.7630000.30.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.7630000.30.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3a8b:$x2: NanoCore.ClientPlugin 0x39eb:$x3: NanoCore.ClientPluginHost 0x3aa1:$i3: IClientNetwork 0x3a43:$i5: IClientDataHost 0x3a05:$i6: IClientLoggingHost 0x3a24:$i7: IClientNetworkHost 0x426c:$i9: IClientNameObjectCollection 0x3741:$s1: ClientPlugin 0x3a94:$s1: ClientPlugin 0x4680:$s2: EndPoint 0x4371:$s3: IPAddress 0x3c83:$s4: IPEndPoint 0x43a3:$s7: get_Connected
1.2.wzkp8c4Z3F.exe.7630000.30.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x39eb:$a1: NanoCore.ClientPluginHost 0x3a8b:$a2: NanoCore.ClientPlugin 0x47e1:$b7: LogClientException 0x3a05:$b9: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.443ef21.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.443ef21.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
1.2.wzkp8c4Z3F.exe.443ef21.9.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2d96:$x2: NanoCore.ClientPlugin 0x2dbb:$x3: NanoCore.ClientPluginHost 0x2d87:$i3: IClientNetwork 0x2dac:$i4: IClientAppHost 0x2dd5:$i5: IClientDataHost 0x2de5:$i7: IClientNetworkHost 0x2df8:$i9: IClientNameObjectCollection 0x2e1d:$i10: IClientReadOnlyNameObjectCollection 0x2bce:$s1: ClientPlugin 0x2d9f:$s1: ClientPlugin
1.2.wzkp8c4Z3F.exe.443ef21.9.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2dbb:$a1: NanoCore.ClientPluginHost 0x2d96:$a2: NanoCore.ClientPlugin 0x6758:$b1: get_BuilderSettings 0x2dac:$b4: IClientAppHost
1.2.wzkp8c4Z3F.exe.7620000.29.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.7620000.29.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.7620000.29.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5ad5:$x2: NanoCore.ClientPlugin 0x59eb:$x3: NanoCore.ClientPluginHost 0x5aeb:$i3: IClientNetwork 0x5a24:$i5: IClientDataHost 0x5a05:$i6: IClientLoggingHost 0x5b48:$i7: IClientNetworkHost 0x5a43:$i8: IClientUIHost 0x6955:$i9: IClientNameObjectCollection 0x54fc:$s1: ClientPlugin 0x5ade:$s1: ClientPlugin 0x6971:$s6: get_ClientSettings
1.2.wzkp8c4Z3F.exe.7620000.29.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x59eb:$a1: NanoCore.ClientPluginHost 0x5ad5:$a2: NanoCore.ClientPlugin 0x732e:$b7: LogClientException 0x6941:$b8: PipeExists 0x5a05:$b9: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.42ce5cf.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.42ce5cf.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a53c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.42ce5cf.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1a513:$x2: NanoCore.ClientPlugin 0x1a53c:$x3: NanoCore.ClientPluginHost 0x1a504:$i3: IClientNetwork 0x1a529:$i6: IClientLoggingHost 0x1a556:$i7: IClientNetworkHost 0x1a569:$i8: IClientUIHost 0x1a273:$s1: ClientPlugin 0x1a51c:$s1: ClientPlugin
1.2.wzkp8c4Z3F.exe.42ce5cf.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1a53c:$a1: NanoCore.ClientPluginHost 0x1a513:$a2: NanoCore.ClientPlugin 0x1f567:$b7: LogClientException 0x1a529:$b9: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.5a00000.19.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.5a00000.19.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.5a00000.19.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
1.2.wzkp8c4Z3F.exe.5a00000.19.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.7780000.31.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.7780000.31.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3d99:$x2: NanoCore.ClientPluginHost 0x4dce:$s4: PipeCreated 0x3d86:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.7780000.31.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3d70:$x2: NanoCore.ClientPlugin 0x3d99:$x3: NanoCore.ClientPluginHost 0x3d61:$i3: IClientNetwork 0x3d86:$i6: IClientLoggingHost 0x3db3:$i7: IClientNetworkHost 0x3bd4:$s1: ClientPlugin 0x3d79:$s1: ClientPlugin 0x4084:$s2: EndPoint 0x408d:$s3: IPAddress 0x4097:$s4: IPEndPoint
1.2.wzkp8c4Z3F.exe.7780000.31.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3d99:$a1: NanoCore.ClientPluginHost 0x3d70:$a2: NanoCore.ClientPlugin 0x3d86:$b9: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.7a70000.36.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.7a70000.36.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.7a70000.36.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5fc9:$x2: NanoCore.ClientPlugin 0x5fee:$x3: NanoCore.ClientPluginHost 0x5fba:$i3: IClientNetwork 0x5fdf:$i4: IClientAppHost 0x6008:$i5: IClientDataHost 0x6018:$i6: IClientLoggingHost 0x602b:$i7: IClientNetworkHost 0x603e:$i8: IClientUIHost 0x604c:$i9: IClientNameObjectCollection 0x5d70:$s1: ClientPlugin 0x5fd2:$s1: ClientPlugin
1.2.wzkp8c4Z3F.exe.7a70000.36.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5fee:$a1: NanoCore.ClientPluginHost 0x5fc9:$a2: NanoCore.ClientPlugin 0x5fdf:$b4: IClientAppHost 0xa4ce:$b7: LogClientException 0x6018:$b9: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.5a10000.20.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.5a10000.20.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.5a10000.20.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.wzkp8c4Z3F.exe.5a10000.20.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
1.2.wzkp8c4Z3F.exe.5a10000.20.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
11.2.wzkp8c4Z3F.exe.3e94c3d.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24170:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x2419d:$x2: IClientNetworkHost
11.2.wzkp8c4Z3F.exe.3e94c3d.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24170:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2524b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x2418a:$s5: IClientLoggingHost
11.2.wzkp8c4Z3F.exe.3e94c3d.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.wzkp8c4Z3F.exe.3e94c3d.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0x2413b:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0x24170:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0x2412f:$i2: IClientData 0xb165:$i3: IClientNetwork 0x24151:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0x24160:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0x2418a:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0x2419d:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0x241b0:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0x241be:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0x241da:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin
11.2.wzkp8c4Z3F.exe.3e94c3d.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0x24170:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x2413b:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x290b6:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0x29025:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost 0x2418a:$b9: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.3354670.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d53:$x1: NanoCore.ClientPluginHost 0x1fbe7:$x1: NanoCore.ClientPluginHost 0x27b51:$x1: NanoCore.ClientPluginHost 0x2db68:$x1: NanoCore.ClientPluginHost 0x37617:$x1: NanoCore.ClientPluginHost 0x41a87:$x1: NanoCore.ClientPluginHost 0x4caad:$x1: NanoCore.ClientPluginHost 0x58897:$x1: NanoCore.ClientPluginHost 0x64656:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d8c:$x2: IClientNetworkHost 0x1fc20:$x2: IClientNetworkHost 0x27b8a:$x2: IClientNetworkHost 0x37774:$x2: IClientNetworkHost 0x41ac0:$x2: IClientNetworkHost 0x4cac7:$x2: IClientNetworkHost 0x588b1:$x2: IClientNetworkHost 0x64693:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.3354670.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x15dcf:$x2: NanoCore.ClientPlugin 0x1fc63:$x2: NanoCore.ClientPlugin 0x27bcb:$x2: NanoCore.ClientPlugin 0x2dbb2:$x2: NanoCore.ClientPlugin 0x37701:$x2: NanoCore.ClientPlugin 0x41b27:$x2: NanoCore.ClientPlugin 0x4ca84:$x2: NanoCore.ClientPlugin 0x5886e:$x2: NanoCore.ClientPlugin 0x64631:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x15d53:$x3: NanoCore.ClientPluginHost 0x1fbe7:$x3: NanoCore.ClientPluginHost 0x27b51:$x3: NanoCore.ClientPluginHost 0x2db68:$x3: NanoCore.ClientPluginHost 0x37617:$x3: NanoCore.ClientPluginHost 0x41a87:$x3: NanoCore.ClientPluginHost 0x4caad:$x3: NanoCore.ClientPluginHost 0x58897:$x3: NanoCore.ClientPluginHost 0x64656:$x3: NanoCore.ClientPluginHost 0x8b70:$i3: IClientNetwork
1.2.wzkp8c4Z3F.exe.3354670.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a9b:$a: NanoCore 0x15af4:$a: NanoCore 0x15b27:$a: NanoCore 0x15d53:$a: NanoCore 0x15dcf:$a: NanoCore 0x163e8:$a: NanoCore 0x16531:$a: NanoCore 0x16a05:$a: NanoCore 0x16cec:$a: NanoCore 0x16d03:$a: NanoCore 0x1fbe7:$a: NanoCore 0x1fc63:$a: NanoCore 0x22546:$a: NanoCore 0x27b51:$a: NanoCore 0x27bcb:$a: NanoCore 0x2db68:$a: NanoCore 0x2dbb2:$a: NanoCore 0x2e80c:$a: NanoCore
1.2.wzkp8c4Z3F.exe.3354670.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x15d53:$a1: NanoCore.ClientPluginHost 0x1fbe7:$a1: NanoCore.ClientPluginHost 0x27b51:$a1: NanoCore.ClientPluginHost 0x2db68:$a1: NanoCore.ClientPluginHost 0x37617:$a1: NanoCore.ClientPluginHost 0x41a87:$a1: NanoCore.ClientPluginHost 0x4caad:$a1: NanoCore.ClientPluginHost 0x58897:$a1: NanoCore.ClientPluginHost 0x64656:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x15dcf:$a2: NanoCore.ClientPlugin 0x1fc63:$a2: NanoCore.ClientPlugin 0x27bcb:$a2: NanoCore.ClientPlugin 0x2dbb2:$a2: NanoCore.ClientPlugin 0x37701:$a2: NanoCore.ClientPlugin 0x41b27:$a2: NanoCore.ClientPlugin 0x4ca84:$a2: NanoCore.ClientPlugin 0x5886e:$a2: NanoCore.ClientPlugin 0x64631:$a2: NanoCore.ClientPlugin 0x64647:$b4: IClientAppHost
12.2.dhcpmon.exe.2c89684.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
12.2.dhcpmon.exe.2c89684.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
12.2.dhcpmon.exe.2c89684.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
12.2.dhcpmon.exe.2c89684.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.461294e.18.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0xcd3b:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost 0xcd55:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.461294e.18.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3d99:$x2: NanoCore.ClientPluginHost 0xcd3b:$x2: NanoCore.ClientPluginHost 0x4dce:$s4: PipeCreated 0x3d86:$s5: IClientLoggingHost 0xcd28:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.461294e.18.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3d70:$x2: NanoCore.ClientPlugin 0xcd12:$x2: NanoCore.ClientPlugin 0x3d99:$x3: NanoCore.ClientPluginHost 0xcd3b:$x3: NanoCore.ClientPluginHost 0x3d61:$i3: IClientNetwork 0xcd03:$i3: IClientNetwork 0x3d86:$i6: IClientLoggingHost 0xcd28:$i6: IClientLoggingHost 0x3db3:$i7: IClientNetworkHost 0xcd55:$i7: IClientNetworkHost 0x3bd4:$s1: ClientPlugin 0x3d79:$s1: ClientPlugin 0xcb7e:$s1: ClientPlugin 0xcd1b:$s1: ClientPlugin 0x4084:$s2: EndPoint 0x408d:$s3: IPAddress 0x4097:$s4: IPEndPoint
1.2.wzkp8c4Z3F.exe.461294e.18.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3d99:$a1: NanoCore.ClientPluginHost 0xcd3b:$a1: NanoCore.ClientPluginHost 0x3d70:$a2: NanoCore.ClientPlugin 0xcd12:$a2: NanoCore.ClientPlugin 0x3d86:$b9: IClientLoggingHost 0xcd28:$b9: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.445f782.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0xb537:$x1: NanoCore.ClientPluginHost 0x1345f:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost 0xb570:$x2: IClientNetworkHost 0x13498:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.445f782.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0xb537:$x2: NanoCore.ClientPluginHost 0x1345f:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0xb63b:$s4: PipeCreated 0x1357a:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost 0xb551:$s5: IClientLoggingHost 0x13479:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.445f782.7.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0xb5b3:$x2: NanoCore.ClientPlugin 0x134d9:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0xb537:$x3: NanoCore.ClientPluginHost 0x1345f:$x3: NanoCore.ClientPluginHost 0x1775:$i3: IClientNetwork 0xb5c9:$i3: IClientNetwork 0x134ef:$i3: IClientNetwork 0x16fd:$i6: IClientLoggingHost 0xb551:$i6: IClientLoggingHost 0x13479:$i6: IClientLoggingHost 0x171c:$i7: IClientNetworkHost 0xb570:$i7: IClientNetworkHost 0x13498:$i7: IClientNetworkHost 0x1491:$s1: ClientPlugin 0x1768:$s1: ClientPlugin 0xb227:$s1: ClientPlugin 0xb5bc:$s1: ClientPlugin 0x131f9:$s1: ClientPlugin 0x134e2:$s1: ClientPlugin
1.2.wzkp8c4Z3F.exe.445f782.7.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x16e3:$a1: NanoCore.ClientPluginHost 0xb537:$a1: NanoCore.ClientPluginHost 0x1345f:$a1: NanoCore.ClientPluginHost 0x175f:$a2: NanoCore.ClientPlugin 0xb5b3:$a2: NanoCore.ClientPlugin 0x134d9:$a2: NanoCore.ClientPlugin 0xc13c:$b7: LogClientException 0x13bfa:$b7: LogClientException 0x16fd:$b9: IClientLoggingHost 0xb551:$b9: IClientLoggingHost 0x13479:$b9: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.42c9930.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.42c9930.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.42c9930.5.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1f1b2:$x2: NanoCore.ClientPlugin 0x1f1db:$x3: NanoCore.ClientPluginHost 0x1f1a3:$i3: IClientNetwork 0x1f1c8:$i6: IClientLoggingHost 0x1f1f5:$i7: IClientNetworkHost 0x1f208:$i8: IClientUIHost 0x1ef12:$s1: ClientPlugin 0x1f1bb:$s1: ClientPlugin
1.2.wzkp8c4Z3F.exe.42c9930.5.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1f1db:$a1: NanoCore.ClientPluginHost 0x1f1b2:$a2: NanoCore.ClientPlugin 0x24206:$b7: LogClientException 0x1f1c8:$b9: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.4489064.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0xe9ca:$x1: NanoCore.ClientPluginHost 0x1a76e:$x1: NanoCore.ClientPluginHost 0x3f674:$x1: NanoCore.ClientPluginHost 0x4eab6:$x1: NanoCore.ClientPluginHost 0x57d6b:$x1: NanoCore.ClientPluginHost 0x6b4d9:$x1: NanoCore.ClientPluginHost 0x79113:$x1: NanoCore.ClientPluginHost 0x8932f:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost 0xe9e4:$x2: IClientNetworkHost 0x1a788:$x2: IClientNetworkHost 0x3f68e:$x2: IClientNetworkHost 0x4eaf3:$x2: IClientNetworkHost 0x57d85:$x2: IClientNetworkHost 0x6b506:$x2: IClientNetworkHost 0x7913d:$x2: IClientNetworkHost 0x8935c:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.4489064.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0xe9ca:$x2: NanoCore.ClientPluginHost 0x1a76e:$x2: NanoCore.ClientPluginHost 0x3f674:$x2: NanoCore.ClientPluginHost 0x4eab6:$x2: NanoCore.ClientPluginHost 0x57d6b:$x2: NanoCore.ClientPluginHost 0x6b4d9:$x2: NanoCore.ClientPluginHost 0x79113:$x2: NanoCore.ClientPluginHost 0x8932f:$x2: NanoCore.ClientPluginHost 0x8a2fe:$s2: FileCommand 0x58157:$s3: PipeExists 0x3b36:$s4: PipeCreated 0xf9ff:$s4: PipeCreated 0x1c519:$s4: PipeCreated 0x429b1:$s4: PipeCreated 0x51f09:$s4: PipeCreated 0x5802c:$s4: PipeCreated 0x6c5b4:$s4: PipeCreated 0x7afc3:$s4: PipeCreated 0x8ed00:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.4489064.10.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.wzkp8c4Z3F.exe.4489064.10.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3a8b:$x2: NanoCore.ClientPlugin 0xe9a1:$x2: NanoCore.ClientPlugin 0x1a745:$x2: NanoCore.ClientPlugin 0x3f64b:$x2: NanoCore.ClientPlugin 0x4ea91:$x2: NanoCore.ClientPlugin 0x57d2e:$x2: NanoCore.ClientPlugin 0x6b4a4:$x2: NanoCore.ClientPlugin 0x790ee:$x2: NanoCore.ClientPlugin 0x89309:$x2: NanoCore.ClientPlugin 0x39eb:$x3: NanoCore.ClientPluginHost 0xe9ca:$x3: NanoCore.ClientPluginHost 0x1a76e:$x3: NanoCore.ClientPluginHost 0x3f674:$x3: NanoCore.ClientPluginHost 0x4eab6:$x3: NanoCore.ClientPluginHost 0x57d6b:$x3: NanoCore.ClientPluginHost 0x6b4d9:$x3: NanoCore.ClientPluginHost 0x79113:$x3: NanoCore.ClientPluginHost 0x8932f:$x3: NanoCore.ClientPluginHost 0x57d50:$i1: IClientApp 0x57d44:$i2: IClientData 0x6b498:$i2: IClientData
1.2.wzkp8c4Z3F.exe.4489064.10.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x36cb:$a: NanoCore 0x372c:$a: NanoCore 0x376f:$a: NanoCore 0x37af:$a: NanoCore 0x39eb:$a: NanoCore 0x3a8b:$a: NanoCore 0x4263:$a: NanoCore 0x4856:$a: NanoCore 0x49a7:$a: NanoCore 0x5801:$a: NanoCore 0x5a68:$a: NanoCore 0x5a7d:$a: NanoCore 0x5a9c:$a: NanoCore 0xe9a1:$a: NanoCore 0xe9ca:$a: NanoCore 0x1a745:$a: NanoCore 0x1a76e:$a: NanoCore 0x3f633:$a: NanoCore 0x3f64b:$a: NanoCore 0x3f674:$a: NanoCore 0x4ea79:$a: NanoCore
1.2.wzkp8c4Z3F.exe.4489064.10.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x39eb:$a1: NanoCore.ClientPluginHost 0xe9ca:$a1: NanoCore.ClientPluginHost 0x1a76e:$a1: NanoCore.ClientPluginHost 0x3f674:$a1: NanoCore.ClientPluginHost 0x4eab6:$a1: NanoCore.ClientPluginHost 0x57d6b:$a1: NanoCore.ClientPluginHost 0x6b4d9:$a1: NanoCore.ClientPluginHost 0x79113:$a1: NanoCore.ClientPluginHost 0x8932f:$a1: NanoCore.ClientPluginHost 0x3a8b:$a2: NanoCore.ClientPlugin 0xe9a1:$a2: NanoCore.ClientPlugin 0x1a745:$a2: NanoCore.ClientPlugin 0x3f64b:$a2: NanoCore.ClientPlugin 0x4ea91:$a2: NanoCore.ClientPlugin 0x57d2e:$a2: NanoCore.ClientPlugin 0x6b4a4:$a2: NanoCore.ClientPlugin 0x790ee:$a2: NanoCore.ClientPlugin 0x89309:$a2: NanoCore.ClientPlugin 0x58102:$b1: get_BuilderSettings 0x7041f:$b1: get_BuilderSettings 0x7cab0:$b1: get_BuilderSettings
1.2.wzkp8c4Z3F.exe.77b0000.34.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.77b0000.34.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.77b0000.34.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1f1b2:$x2: NanoCore.ClientPlugin 0x1f1db:$x3: NanoCore.ClientPluginHost 0x1f1a3:$i3: IClientNetwork 0x1f1c8:$i6: IClientLoggingHost 0x1f1f5:$i7: IClientNetworkHost 0x1f208:$i8: IClientUIHost 0x1ef12:$s1: ClientPlugin 0x1f1bb:$s1: ClientPlugin
1.2.wzkp8c4Z3F.exe.77b0000.34.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1f1db:$a1: NanoCore.ClientPluginHost 0x1f1b2:$a2: NanoCore.ClientPlugin 0x24206:$b7: LogClientException 0x1f1c8:$b9: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.7620000.29.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3deb:$x1: NanoCore.ClientPluginHost 0x3f48:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.7620000.29.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3deb:$x2: NanoCore.ClientPluginHost 0x4d41:$s3: PipeExists 0x3fe1:$s4: PipeCreated 0x3e05:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.7620000.29.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3ed5:$x2: NanoCore.ClientPlugin 0x3deb:$x3: NanoCore.ClientPluginHost 0x3eeb:$i3: IClientNetwork 0x3e24:$i5: IClientDataHost 0x3e05:$i6: IClientLoggingHost 0x3f48:$i7: IClientNetworkHost 0x3e43:$i8: IClientUIHost 0x4d55:$i9: IClientNameObjectCollection 0x38fc:$s1: ClientPlugin 0x3ede:$s1: ClientPlugin 0x4d71:$s6: get_ClientSettings
1.2.wzkp8c4Z3F.exe.7620000.29.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3deb:$a1: NanoCore.ClientPluginHost 0x3ed5:$a2: NanoCore.ClientPlugin 0x572e:$b7: LogClientException 0x4d41:$b8: PipeExists 0x3e05:$b9: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.451de19.13.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x7c31:$x1: NanoCore.ClientPluginHost 0xdc02:$x1: NanoCore.ClientPluginHost 0x1766e:$x1: NanoCore.ClientPluginHost 0x21a99:$x1: NanoCore.ClientPluginHost 0x2ca76:$x1: NanoCore.ClientPluginHost 0x38818:$x1: NanoCore.ClientPluginHost 0x5d71c:$x1: NanoCore.ClientPluginHost 0x6cb5c:$x1: NanoCore.ClientPluginHost 0x79db1:$x1: NanoCore.ClientPluginHost 0x84d8e:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost 0x7c6a:$x2: IClientNetworkHost 0x177cb:$x2: IClientNetworkHost 0x21ad2:$x2: IClientNetworkHost 0x2ca90:$x2: IClientNetworkHost 0x38832:$x2: IClientNetworkHost 0x5d736:$x2: IClientNetworkHost 0x6cb99:$x2: IClientNetworkHost 0x79dea:$x2: IClientNetworkHost 0x84da8:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.451de19.13.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x7c31:$x2: NanoCore.ClientPluginHost 0xdc02:$x2: NanoCore.ClientPluginHost 0x1766e:$x2: NanoCore.ClientPluginHost 0x21a99:$x2: NanoCore.ClientPluginHost 0x2ca76:$x2: NanoCore.ClientPluginHost 0x38818:$x2: NanoCore.ClientPluginHost 0x5d71c:$x2: NanoCore.ClientPluginHost 0x6cb5c:$x2: NanoCore.ClientPluginHost 0x79db1:$x2: NanoCore.ClientPluginHost 0x84d8e:$x2: NanoCore.ClientPluginHost 0x185c4:$s3: PipeExists 0x1800:$s4: PipeCreated 0x7d4c:$s4: PipeCreated 0xdce0:$s4: PipeCreated 0x17864:$s4: PipeCreated 0x21be4:$s4: PipeCreated 0x2daab:$s4: PipeCreated 0x3a5c3:$s4: PipeCreated 0x60a59:$s4: PipeCreated 0x6ffaf:$s4: PipeCreated
1.2.wzkp8c4Z3F.exe.451de19.13.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0x7cab:$x2: NanoCore.ClientPlugin 0xdc4c:$x2: NanoCore.ClientPlugin 0x17758:$x2: NanoCore.ClientPlugin 0x21b39:$x2: NanoCore.ClientPlugin 0x2ca4d:$x2: NanoCore.ClientPlugin 0x387ef:$x2: NanoCore.ClientPlugin 0x5d6f3:$x2: NanoCore.ClientPlugin 0x6cb37:$x2: NanoCore.ClientPlugin 0x79e51:$x2: NanoCore.ClientPlugin 0x84d65:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0x7c31:$x3: NanoCore.ClientPluginHost 0xdc02:$x3: NanoCore.ClientPluginHost 0x1766e:$x3: NanoCore.ClientPluginHost 0x21a99:$x3: NanoCore.ClientPluginHost 0x2ca76:$x3: NanoCore.ClientPluginHost 0x38818:$x3: NanoCore.ClientPluginHost 0x5d71c:$x3: NanoCore.ClientPluginHost 0x6cb5c:$x3: NanoCore.ClientPluginHost 0x79db1:$x3: NanoCore.ClientPluginHost
1.2.wzkp8c4Z3F.exe.451de19.13.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0x7c31:$a: NanoCore 0x7cab:$a: NanoCore 0xc848:$a: NanoCore 0xdc02:$a: NanoCore 0xdc4c:$a: NanoCore 0xe8a6:$a: NanoCore 0x1766e:$a: NanoCore 0x17758:$a: NanoCore 0x185cf:$a: NanoCore 0x21779:$a: NanoCore 0x217da:$a: NanoCore
1.2.wzkp8c4Z3F.exe.451de19.13.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x16e3:$a1: NanoCore.ClientPluginHost 0x7c31:$a1: NanoCore.ClientPluginHost 0xdc02:$a1: NanoCore.ClientPluginHost 0x1766e:$a1: NanoCore.ClientPluginHost 0x21a99:$a1: NanoCore.ClientPluginHost 0x2ca76:$a1: NanoCore.ClientPluginHost 0x38818:$a1: NanoCore.ClientPluginHost 0x5d71c:$a1: NanoCore.ClientPluginHost 0x6cb5c:$a1: NanoCore.ClientPluginHost 0x79db1:$a1: NanoCore.ClientPluginHost 0x84d8e:$a1: NanoCore.ClientPluginHost 0x175f:$a2: NanoCore.ClientPlugin 0x7cab:$a2: NanoCore.ClientPlugin 0xdc4c:$a2: NanoCore.ClientPlugin 0x17758:$a2: NanoCore.ClientPlugin 0x21b39:$a2: NanoCore.ClientPlugin 0x2ca4d:$a2: NanoCore.ClientPlugin 0x387ef:$a2: NanoCore.ClientPlugin 0x5d6f3:$a2: NanoCore.ClientPlugin 0x6cb37:$a2: NanoCore.ClientPlugin 0x79e51:$a2: NanoCore.ClientPlugin
1.2.wzkp8c4Z3F.exe.447cc37.12.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0xfe18:$x1: NanoCore.ClientPluginHost 0x1adf7:$x1: NanoCore.ClientPluginHost 0x26b9b:$x1: NanoCore.ClientPluginHost 0x4baa1:$x1: NanoCore.ClientPluginHost 0x5aee3:$x1: NanoCore.ClientPluginHost 0x64198:$x1: NanoCore.ClientPluginHost 0x77906:$x1: NanoCore.ClientPluginHost 0x85540:$x1: NanoCore.ClientPluginHost 0x9575c:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost 0xfe51:$x2: IClientNetworkHost 0x1ae11:$x2: IClientNetworkHost 0x26bb5:$x2: IClientNetworkHost 0x4babb:$x2: IClientNetworkHost 0x5af20:$x2: IClientNetworkHost 0x641b2:$x2: IClientNetworkHost 0x77933:$x2: IClientNetworkHost 0x8556a:$x2: IClientNetworkHost 0x95789:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.447cc37.12.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.wzkp8c4Z3F.exe.447cc37.12.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5ad5:$x2: NanoCore.ClientPlugin 0xfeb8:$x2: NanoCore.ClientPlugin 0x1adce:$x2: NanoCore.ClientPlugin 0x26b72:$x2: NanoCore.ClientPlugin 0x4ba78:$x2: NanoCore.ClientPlugin 0x5aebe:$x2: NanoCore.ClientPlugin 0x6415b:$x2: NanoCore.ClientPlugin 0x778d1:$x2: NanoCore.ClientPlugin 0x8551b:$x2: NanoCore.ClientPlugin 0x95736:$x2: NanoCore.ClientPlugin 0x59eb:$x3: NanoCore.ClientPluginHost 0xfe18:$x3: NanoCore.ClientPluginHost 0x1adf7:$x3: NanoCore.ClientPluginHost 0x26b9b:$x3: NanoCore.ClientPluginHost 0x4baa1:$x3: NanoCore.ClientPluginHost 0x5aee3:$x3: NanoCore.ClientPluginHost 0x64198:$x3: NanoCore.ClientPluginHost 0x77906:$x3: NanoCore.ClientPluginHost 0x85540:$x3: NanoCore.ClientPluginHost 0x9575c:$x3: NanoCore.ClientPluginHost 0x6417d:$i1: IClientApp
1.2.wzkp8c4Z3F.exe.447cc37.12.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x59eb:$a: NanoCore 0x5ad5:$a: NanoCore 0x694c:$a: NanoCore 0xfaf8:$a: NanoCore 0xfb59:$a: NanoCore 0xfb9c:$a: NanoCore 0xfbdc:$a: NanoCore 0xfe18:$a: NanoCore 0xfeb8:$a: NanoCore 0x10690:$a: NanoCore 0x10c83:$a: NanoCore 0x10dd4:$a: NanoCore 0x11c2e:$a: NanoCore 0x11e95:$a: NanoCore 0x11eaa:$a: NanoCore 0x11ec9:$a: NanoCore 0x1adce:$a: NanoCore 0x1adf7:$a: NanoCore 0x26b72:$a: NanoCore 0x26b9b:$a: NanoCore 0x4ba60:$a: NanoCore
1.2.wzkp8c4Z3F.exe.447cc37.12.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x59eb:$a1: NanoCore.ClientPluginHost 0xfe18:$a1: NanoCore.ClientPluginHost 0x1adf7:$a1: NanoCore.ClientPluginHost 0x26b9b:$a1: NanoCore.ClientPluginHost 0x4baa1:$a1: NanoCore.ClientPluginHost 0x5aee3:$a1: NanoCore.ClientPluginHost 0x64198:$a1: NanoCore.ClientPluginHost 0x77906:$a1: NanoCore.ClientPluginHost 0x85540:$a1: NanoCore.ClientPluginHost 0x9575c:$a1: NanoCore.ClientPluginHost 0x5ad5:$a2: NanoCore.ClientPlugin 0xfeb8:$a2: NanoCore.ClientPlugin 0x1adce:$a2: NanoCore.ClientPlugin 0x26b72:$a2: NanoCore.ClientPlugin 0x4ba78:$a2: NanoCore.ClientPlugin 0x5aebe:$a2: NanoCore.ClientPlugin 0x6415b:$a2: NanoCore.ClientPlugin 0x778d1:$a2: NanoCore.ClientPlugin 0x8551b:$a2: NanoCore.ClientPlugin 0x95736:$a2: NanoCore.ClientPlugin 0x6452f:$b1: get_BuilderSettings
1.2.wzkp8c4Z3F.exe.452a673.15.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost 0xae14:$x1: NanoCore.ClientPluginHost 0x1523f:$x1: NanoCore.ClientPluginHost 0x2021c:$x1: NanoCore.ClientPluginHost 0x2bfbe:$x1: NanoCore.ClientPluginHost 0x50ec2:$x1: NanoCore.ClientPluginHost 0x60302:$x1: NanoCore.ClientPluginHost 0x6d557:$x1: NanoCore.ClientPluginHost 0x78534:$x1: NanoCore.ClientPluginHost 0xaf71:$x2: IClientNetworkHost 0x15278:$x2: IClientNetworkHost 0x20236:$x2: IClientNetworkHost 0x2bfd8:$x2: IClientNetworkHost 0x50edc:$x2: IClientNetworkHost 0x6033f:$x2: IClientNetworkHost 0x6d590:$x2: IClientNetworkHost 0x7854e:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.452a673.15.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0xae14:$x2: NanoCore.ClientPluginHost 0x1523f:$x2: NanoCore.ClientPluginHost 0x2021c:$x2: NanoCore.ClientPluginHost 0x2bfbe:$x2: NanoCore.ClientPluginHost 0x50ec2:$x2: NanoCore.ClientPluginHost 0x60302:$x2: NanoCore.ClientPluginHost 0x6d557:$x2: NanoCore.ClientPluginHost 0x78534:$x2: NanoCore.ClientPluginHost 0xbd6a:$s3: PipeExists 0x1486:$s4: PipeCreated 0xb00a:$s4: PipeCreated 0x1538a:$s4: PipeCreated 0x21251:$s4: PipeCreated 0x2dd69:$s4: PipeCreated 0x541ff:$s4: PipeCreated 0x63755:$s4: PipeCreated 0x6d6a2:$s4: PipeCreated 0x79569:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost 0xae2e:$s5: IClientLoggingHost
1.2.wzkp8c4Z3F.exe.447780c.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost 0xae16:$x1: NanoCore.ClientPluginHost 0x15243:$x1: NanoCore.ClientPluginHost 0x20222:$x1: NanoCore.ClientPluginHost 0x2bfc6:$x1: NanoCore.ClientPluginHost 0x50ecc:$x1: NanoCore.ClientPluginHost 0x6030e:$x1: NanoCore.ClientPluginHost 0x695c3:$x1: NanoCore.ClientPluginHost 0x7cd31:$x1: NanoCore.ClientPluginHost 0x8a96b:$x1: NanoCore.ClientPluginHost 0x9ab87:$x1: NanoCore.ClientPluginHost 0xaf73:$x2: IClientNetworkHost 0x1527c:$x2: IClientNetworkHost 0x2023c:$x2: IClientNetworkHost 0x2bfe0:$x2: IClientNetworkHost 0x50ee6:$x2: IClientNetworkHost 0x6034b:$x2: IClientNetworkHost 0x695dd:$x2: IClientNetworkHost 0x7cd5e:$x2: IClientNetworkHost 0x8a995:$x2: IClientNetworkHost 0x9abb4:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.3310ac0.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x2a42f:$x1: NanoCore.ClientPluginHost 0x4c755:$x1: NanoCore.ClientPluginHost 0x59903:$x1: NanoCore.ClientPluginHost 0x63797:$x1: NanoCore.ClientPluginHost 0x6b701:$x1: NanoCore.ClientPluginHost 0x71718:$x1: NanoCore.ClientPluginHost 0x7b1c7:$x1: NanoCore.ClientPluginHost 0x85637:$x1: NanoCore.ClientPluginHost 0x9065d:$x1: NanoCore.ClientPluginHost 0x9c447:$x1: NanoCore.ClientPluginHost 0xa8206:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x2a459:$x2: IClientNetworkHost 0x4c782:$x2: IClientNetworkHost 0x5993c:$x2: IClientNetworkHost 0x637d0:$x2: IClientNetworkHost 0x6b73a:$x2: IClientNetworkHost 0x7b324:$x2: IClientNetworkHost 0x85670:$x2: IClientNetworkHost 0x90677:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.3336334.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x26ee1:$x1: NanoCore.ClientPluginHost 0x3408f:$x1: NanoCore.ClientPluginHost 0x3df23:$x1: NanoCore.ClientPluginHost 0x45e8d:$x1: NanoCore.ClientPluginHost 0x4bea4:$x1: NanoCore.ClientPluginHost 0x55953:$x1: NanoCore.ClientPluginHost 0x5fdc3:$x1: NanoCore.ClientPluginHost 0x6ade9:$x1: NanoCore.ClientPluginHost 0x76bd3:$x1: NanoCore.ClientPluginHost 0x82992:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x26f0e:$x2: IClientNetworkHost 0x340c8:$x2: IClientNetworkHost 0x3df5c:$x2: IClientNetworkHost 0x45ec6:$x2: IClientNetworkHost 0x55ab0:$x2: IClientNetworkHost 0x5fdfc:$x2: IClientNetworkHost 0x6ae03:$x2: IClientNetworkHost 0x76bed:$x2: IClientNetworkHost 0x829cf:$x2: IClientNetworkHost
1.2.wzkp8c4Z3F.exe.3310ac0.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x2a40a:$x2: NanoCore.ClientPlugin 0x4c72f:$x2: NanoCore.ClientPlugin 0x5997f:$x2: NanoCore.ClientPlugin 0x63813:$x2: NanoCore.ClientPlugin 0x6b77b:$x2: NanoCore.ClientPlugin 0x71762:$x2: NanoCore.ClientPlugin 0x7b2b1:$x2: NanoCore.ClientPlugin 0x856d7:$x2: NanoCore.ClientPlugin 0x90634:$x2: NanoCore.ClientPlugin 0x9c41e:$x2: NanoCore.ClientPlugin 0xa81e1:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x2a42f:$x3: NanoCore.ClientPluginHost 0x4c755:$x3: NanoCore.ClientPluginHost 0x59903:$x3: NanoCore.ClientPluginHost 0x63797:$x3: NanoCore.ClientPluginHost 0x6b701:$x3: NanoCore.ClientPluginHost 0x71718:$x3: NanoCore.ClientPluginHost 0x7b1c7:$x3: NanoCore.ClientPluginHost 0x85637:$x3: NanoCore.ClientPluginHost
1.2.wzkp8c4Z3F.exe.3310ac0.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x2a40a:$a: NanoCore 0x2a42f:$a: NanoCore 0x2a488:$a: NanoCore 0x4c72f:$a: NanoCore 0x4c755:$a: NanoCore 0x4c7b1:$a: NanoCore 0x5964b:$a: NanoCore 0x596a4:$a: NanoCore 0x596d7:$a: NanoCore 0x59903:$a: NanoCore 0x5997f:$a: NanoCore 0x59f98:$a: NanoCore 0x5a0e1:$a: NanoCore 0x5a5b5:$a: NanoCore 0x5a89c:$a: NanoCore 0x5a8b3:$a: NanoCore 0x63797:$a: NanoCore
1.2.wzkp8c4Z3F.exe.3310ac0.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0x2a42f:$a1: NanoCore.ClientPluginHost 0x4c755:$a1: NanoCore.ClientPluginHost 0x59903:$a1: NanoCore.ClientPluginHost 0x63797:$a1: NanoCore.ClientPluginHost 0x6b701:$a1: NanoCore.ClientPluginHost 0x71718:$a1: NanoCore.ClientPluginHost 0x7b1c7:$a1: NanoCore.ClientPluginHost 0x85637:$a1: NanoCore.ClientPluginHost 0x9065d:$a1: NanoCore.ClientPluginHost 0x9c447:$a1: NanoCore.ClientPluginHost 0xa8206:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x2a40a:$a2: NanoCore.ClientPlugin 0x4c72f:$a2: NanoCore.ClientPlugin 0x5997f:$a2: NanoCore.ClientPlugin 0x63813:$a2: NanoCore.ClientPlugin 0x6b77b:$a2: NanoCore.ClientPlugin 0x71762:$a2: NanoCore.ClientPlugin 0x7b2b1:$a2: NanoCore.ClientPlugin 0x856d7:$a2: NanoCore.ClientPlugin
1.2.wzkp8c4Z3F.exe.447780c.11.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.wzkp8c4Z3F.exe.452a673.15.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x13f2:$x2: NanoCore.ClientPlugin 0xaefe:$x2: NanoCore.ClientPlugin 0x152df:$x2: NanoCore.ClientPlugin 0x201f3:$x2: NanoCore.ClientPlugin 0x2bf95:$x2: NanoCore.ClientPlugin 0x50e99:$x2: NanoCore.ClientPlugin 0x602dd:$x2: NanoCore.ClientPlugin 0x6d5f7:$x2: NanoCore.ClientPlugin 0x7850b:$x2: NanoCore.ClientPlugin 0x13a8:$x3: NanoCore.ClientPluginHost 0xae14:$x3: NanoCore.ClientPluginHost 0x1523f:$x3: NanoCore.ClientPluginHost 0x2021c:$x3: NanoCore.ClientPluginHost 0x2bfbe:$x3: NanoCore.ClientPluginHost 0x50ec2:$x3: NanoCore.ClientPluginHost 0x60302:$x3: NanoCore.ClientPluginHost 0x6d557:$x3: NanoCore.ClientPluginHost 0x78534:$x3: NanoCore.ClientPluginHost 0x1408:$i3: IClientNetwork 0xaf14:$i3: IClientNetwork 0x152f5:$i3: IClientNetwork
1.2.wzkp8c4Z3F.exe.452a673.15.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x13a8:$a: NanoCore 0x13f2:$a: NanoCore 0x204c:$a: NanoCore 0xae14:$a: NanoCore 0xaefe:$a: NanoCore 0xbd75:$a: NanoCore 0x14f1f:$a: NanoCore 0x14f80:$a: NanoCore 0x14fc3:$a: NanoCore 0x15003:$a: NanoCore 0x1523f:$a: NanoCore 0x152df:$a: NanoCore 0x15ab7:$a: NanoCore 0x160aa:$a: NanoCore 0x161fb:$a: NanoCore 0x17055:$a: NanoCore 0x172bc:$a: NanoCore 0x172d1:$a: NanoCore 0x172f0:$a: NanoCore 0x201f3:$a: NanoCore 0x2021c:$a: NanoCore
1.2.wzkp8c4Z3F.exe.452a673.15.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x13a8:$a1: NanoCore.ClientPluginHost 0xae14:$a1: NanoCore.ClientPluginHost 0x1523f:$a1: NanoCore.ClientPluginHost 0x2021c:$a1: NanoCore.ClientPluginHost 0x2bfbe:$a1: NanoCore.ClientPluginHost 0x50ec2:$a1: NanoCore.ClientPluginHost 0x60302:$a1: NanoCore.ClientPluginHost 0x6d557:$a1: NanoCore.ClientPluginHost 0x78534:$a1: NanoCore.ClientPluginHost 0x13f2:$a2: NanoCore.ClientPlugin 0xaefe:$a2: NanoCore.ClientPlugin 0x152df:$a2: NanoCore.ClientPlugin 0x201f3:$a2: NanoCore.ClientPlugin 0x2bf95:$a2: NanoCore.ClientPlugin 0x50e99:$a2: NanoCore.ClientPlugin 0x602dd:$a2: NanoCore.ClientPlugin 0x6d5f7:$a2: NanoCore.ClientPlugin 0x7850b:$a2: NanoCore.ClientPlugin 0x602f3:$b4: IClientAppHost 0xc757:$b7: LogClientException 0x16035:$b7: LogClientException
1.2.wzkp8c4Z3F.exe.3336334.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x26ebb:$x2: NanoCore.ClientPlugin 0x3410b:$x2: NanoCore.ClientPlugin 0x3df9f:$x2: NanoCore.ClientPlugin 0x45f07:$x2: NanoCore.ClientPlugin 0x4beee:$x2: NanoCore.ClientPlugin 0x55a3d:$x2: NanoCore.ClientPlugin 0x5fe63:$x2: NanoCore.ClientPlugin 0x6adc0:$x2: NanoCore.ClientPlugin 0x76baa:$x2: NanoCore.ClientPlugin 0x8296d:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x26ee1:$x3: NanoCore.ClientPluginHost 0x3408f:$x3: NanoCore.ClientPluginHost 0x3df23:$x3: NanoCore.ClientPluginHost 0x45e8d:$x3: NanoCore.ClientPluginHost 0x4bea4:$x3: NanoCore.ClientPluginHost 0x55953:$x3: NanoCore.ClientPluginHost 0x5fdc3:$x3: NanoCore.ClientPluginHost 0x6ade9:$x3: NanoCore.ClientPluginHost 0x76bd3:$x3: NanoCore.ClientPluginHost
1.2.wzkp8c4Z3F.exe.3336334.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x26ebb:$a: NanoCore 0x26ee1:$a: NanoCore 0x26f3d:$a: NanoCore 0x33dd7:$a: NanoCore 0x33e30:$a: NanoCore 0x33e63:$a: NanoCore 0x3408f:$a: NanoCore 0x3410b:$a: NanoCore 0x34724:$a: NanoCore 0x3486d:$a: NanoCore 0x34d41:$a: NanoCore 0x35028:$a: NanoCore 0x3503f:$a: NanoCore 0x3df23:$a: NanoCore 0x3df9f:$a: NanoCore 0x40882:$a: NanoCore 0x45e8d:$a: NanoCore 0x45f07:$a: NanoCore
1.2.wzkp8c4Z3F.exe.3336334.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x26ee1:$a1: NanoCore.ClientPluginHost 0x3408f:$a1: NanoCore.ClientPluginHost 0x3df23:$a1: NanoCore.ClientPluginHost 0x45e8d:$a1: NanoCore.ClientPluginHost 0x4bea4:$a1: NanoCore.ClientPluginHost 0x55953:$a1: NanoCore.ClientPluginHost 0x5fdc3:$a1: NanoCore.ClientPluginHost 0x6ade9:$a1: NanoCore.ClientPluginHost 0x76bd3:$a1: NanoCore.ClientPluginHost 0x82992:$a1: NanoCore.ClientPluginHost 0x4b96:$a2: NanoCore.ClientPlugin 0x26ebb:$a2: NanoCore.ClientPlugin 0x3410b:$a2: NanoCore.ClientPlugin 0x3df9f:$a2: NanoCore.ClientPlugin 0x45f07:$a2: NanoCore.ClientPlugin 0x4beee:$a2: NanoCore.ClientPlugin 0x55a3d:$a2: NanoCore.ClientPlugin 0x5fe63:$a2: NanoCore.ClientPlugin 0x6adc0:$a2: NanoCore.ClientPlugin 0x76baa:$a2: NanoCore.ClientPlugin
1.2.wzkp8c4Z3F.exe.447780c.11.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x13f2:$x2: NanoCore.ClientPlugin 0xaf00:$x2: NanoCore.ClientPlugin 0x152e3:$x2: NanoCore.ClientPlugin 0x201f9:$x2: NanoCore.ClientPlugin 0x2bf9d:$x2: NanoCore.ClientPlugin 0x50ea3:$x2: NanoCore.ClientPlugin 0x602e9:$x2: NanoCore.ClientPlugin 0x69586:$x2: NanoCore.ClientPlugin 0x7ccfc:$x2: NanoCore.ClientPlugin 0x8a946:$x2: NanoCore.ClientPlugin 0x9ab61:$x2: NanoCore.ClientPlugin 0x13a8:$x3: NanoCore.ClientPluginHost 0xae16:$x3: NanoCore.ClientPluginHost 0x15243:$x3: NanoCore.ClientPluginHost 0x20222:$x3: NanoCore.ClientPluginHost 0x2bfc6:$x3: NanoCore.ClientPluginHost 0x50ecc:$x3: NanoCore.ClientPluginHost 0x6030e:$x3: NanoCore.ClientPluginHost 0x695c3:$x3: NanoCore.ClientPluginHost 0x7cd31:$x3: NanoCore.ClientPluginHost 0x8a96b:$x3: NanoCore.ClientPluginHost
1.2.wzkp8c4Z3F.exe.447780c.11.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x13a8:$a: NanoCore 0x13f2:$a: NanoCore 0x204c:$a: NanoCore 0xae16:$a: NanoCore 0xaf00:$a: NanoCore 0xbd77:$a: NanoCore 0x14f23:$a: NanoCore 0x14f84:$a: NanoCore 0x14fc7:$a: NanoCore 0x15007:$a: NanoCore 0x15243:$a: NanoCore 0x152e3:$a: NanoCore 0x15abb:$a: NanoCore 0x160ae:$a: NanoCore 0x161ff:$a: NanoCore 0x17059:$a: NanoCore 0x172c0:$a: NanoCore 0x172d5:$a: NanoCore 0x172f4:$a: NanoCore 0x201f9:$a: NanoCore 0x20222:$a: NanoCore
1.2.wzkp8c4Z3F.exe.447780c.11.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x13a8:$a1: NanoCore.ClientPluginHost 0xae16:$a1: NanoCore.ClientPluginHost 0x15243:$a1: NanoCore.ClientPluginHost 0x20222:$a1: NanoCore.ClientPluginHost 0x2bfc6:$a1: NanoCore.ClientPluginHost 0x50ecc:$a1: NanoCore.ClientPluginHost 0x6030e:$a1: NanoCore.ClientPluginHost 0x695c3:$a1: NanoCore.ClientPluginHost 0x7cd31:$a1: NanoCore.ClientPluginHost 0x8a96b:$a1: NanoCore.ClientPluginHost 0x9ab87:$a1: NanoCore.ClientPluginHost 0x13f2:$a2: NanoCore.ClientPlugin 0xaf00:$a2: NanoCore.ClientPlugin 0x152e3:$a2: NanoCore.ClientPlugin 0x201f9:$a2: NanoCore.ClientPlugin 0x2bf9d:$a2: NanoCore.ClientPlugin 0x50ea3:$a2: NanoCore.ClientPlugin 0x602e9:$a2: NanoCore.ClientPlugin 0x69586:$a2: NanoCore.ClientPlugin 0x7ccfc:$a2: NanoCore.ClientPlugin 0x8a946:$a2: NanoCore.ClientPlugin
0.2.wzkp8c4Z3F.exe.46625a0.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd21cd:$x1: NanoCore.ClientPluginHost 0x104ded:$x1: NanoCore.ClientPluginHost 0x13780d:$x1: NanoCore.ClientPluginHost 0xd220a:$x2: IClientNetworkHost 0x104e2a:$x2: IClientNetworkHost 0x13784a:$x2: IClientNetworkHost 0xd5d3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x10895d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x13b37d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.wzkp8c4Z3F.exe.46625a0.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.wzkp8c4Z3F.exe.46625a0.9.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x524cf:$s1: file:/// 0x523df:$s2: {11111-22222-10009-11112} 0x5245f:$s3: {11111-22222-50001-00000} 0x4f74d:$s4: get_Module 0x4fbc6:$s5: Reverse 0x51b8e:$s6: BlockCopy 0xdcfaf:$s6: BlockCopy 0x10fbcf:$s6: BlockCopy 0x1425ef:$s6: BlockCopy 0xdcfa6:$s7: ReadByte 0x10fbc6:$s7: ReadByte 0x1425e6:$s7: ReadByte 0x524e1:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.wzkp8c4Z3F.exe.46625a0.9.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd1f35:$x1: NanoCore Client 0xd1f45:$x1: NanoCore Client 0x104b55:$x1: NanoCore Client 0x104b65:$x1: NanoCore Client 0x137575:$x1: NanoCore Client 0x137585:$x1: NanoCore Client 0xd218d:$x2: NanoCore.ClientPlugin 0x104dad:$x2: NanoCore.ClientPlugin 0x1377cd:$x2: NanoCore.ClientPlugin 0xd21cd:$x3: NanoCore.ClientPluginHost 0x104ded:$x3: NanoCore.ClientPluginHost 0x13780d:$x3: NanoCore.ClientPluginHost 0xd2182:$i1: IClientApp 0x104da2:$i1: IClientApp 0x1377c2:$i1: IClientApp 0xd21a3:$i2: IClientData 0x104dc3:$i2: IClientData 0x1377e3:$i2: IClientData 0xd21af:$i3: IClientNetwork 0x104dcf:$i3: IClientNetwork 0x1377ef:$i3: IClientNetwork
0.2.wzkp8c4Z3F.exe.46625a0.9.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xd1f35:$a: NanoCore 0xd1f45:$a: NanoCore 0xd2179:$a: NanoCore 0xd218d:$a: NanoCore 0xd21cd:$a: NanoCore 0x104b55:$a: NanoCore 0x104b65:$a: NanoCore 0x104d99:$a: NanoCore 0x104dad:$a: NanoCore 0x104ded:$a: NanoCore 0x137575:$a: NanoCore 0x137585:$a: NanoCore 0x1377b9:$a: NanoCore 0x1377cd:$a: NanoCore 0x13780d:$a: NanoCore 0xd1f94:$b: ClientPlugin 0xd2196:$b: ClientPlugin 0xd21d6:$b: ClientPlugin 0x104bb4:$b: ClientPlugin 0x104db6:$b: ClientPlugin 0x104df6:$b: ClientPlugin
0.2.wzkp8c4Z3F.exe.46625a0.9.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd21cd:$a1: NanoCore.ClientPluginHost 0x104ded:$a1: NanoCore.ClientPluginHost 0x13780d:$a1: NanoCore.ClientPluginHost 0xd218d:$a2: NanoCore.ClientPlugin 0x104dad:$a2: NanoCore.ClientPlugin 0x1377cd:$a2: NanoCore.ClientPlugin 0xd40e6:$b1: get_BuilderSettings 0x106d06:$b1: get_BuilderSettings 0x139726:$b1: get_BuilderSettings 0xd1fe9:$b2: ClientLoaderForm.resources 0x104c09:$b2: ClientLoaderForm.resources 0x137629:$b2: ClientLoaderForm.resources 0xd3806:$b3: PluginCommand 0x106426:$b3: PluginCommand 0x138e46:$b3: PluginCommand 0xd21be:$b4: IClientAppHost 0x104dde:$b4: IClientAppHost 0x1377fe:$b4: IClientAppHost 0xdc63e:$b5: GetBlockHash 0x10f25e:$b5: GetBlockHash 0x141c7e:$b5: GetBlockHash
Click to see the 291 entries

Sigma Signatures

AV Detection

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\wzkp8c4Z3F.exe, ProcessId: 6004, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\wzkp8c4Z3F.exe, ProcessId: 6004, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpDBD9.tmp, CommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpDBD9.tmp, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\wzkp8c4Z3F.exe, ParentImage: C:\Users\user\Desktop\wzkp8c4Z3F.exe, ParentProcessId: 6004, ParentProcessName: wzkp8c4Z3F.exe, ProcessCommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpDBD9.tmp, ProcessId: 5180, ProcessName: schtasks.exe

Stealing of Sensitive Information

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\wzkp8c4Z3F.exe, ProcessId: 6004, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\wzkp8c4Z3F.exe, ProcessId: 6004, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Snort Signatures

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.5 - Destination IP: 79.110.62.187

Timestamp:	192.168.2.579.110.62.1874972340322816766 09/23/22-08:28:03.841045
SID:	2816766
Source Port:	49723
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.5 - Destination IP: 79.110.62.187

Timestamp:	192.168.2.579.110.62.1874970540322025019 09/23/22-08:27:08.890440
SID:	2025019
Source Port:	49705
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keepalive Response 1 - Source IP: 79.110.62.187 - Destination IP: 192.168.2.5

Timestamp:	79.110.62.187192.168.2.54032497062810290 09/23/22-08:27:17.892341
SID:	2810290
Source Port:	4032
Destination Port:	49706
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 79.110.62.187 - Destination IP: 192.168.2.5

Timestamp:	79.110.62.187192.168.2.54032497012841753 09/23/22-08:26:43.565182
SID:	2841753
Source Port:	4032
Destination Port:	49701
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.5 - Destination IP: 79.110.62.187

Timestamp:	192.168.2.579.110.62.1874970740322816766 09/23/22-08:27:27.538615
SID:	2816766
Source Port:	49707
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 79.110.62.187 - Destination IP: 192.168.2.5

Timestamp:	79.110.62.187192.168.2.54032497042841753 09/23/22-08:26:57.404411
SID:	2841753
Source Port:	4032
Destination Port:	49704
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.5 - Destination IP: 79.110.62.187

Timestamp:	192.168.2.579.110.62.1874970440322816766 09/23/22-08:26:53.398294
SID:	2816766
Source Port:	49704
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.5 - Destination IP: 79.110.62.187

Timestamp:	192.168.2.579.110.62.1874972440322025019 09/23/22-08:28:10.108277
SID:	2025019
Source Port:	49724
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon - Source IP: 192.168.2.5 - Destination IP: 79.110.62.187

Timestamp:	192.168.2.579.110.62.1874970640322816718 09/23/22-08:27:18.571667
SID:	2816718
Source Port:	49706
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.5 - Destination IP: 79.110.62.187

Timestamp:	192.168.2.579.110.62.1874971740322816766 09/23/22-08:27:45.797275
SID:	2816766
Source Port:	49717
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.5 - Destination IP: 79.110.62.187

Timestamp:	192.168.2.579.110.62.1874972040322816766 09/23/22-08:27:53.992917
SID:	2816766
Source Port:	49720
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 79.110.62.187 - Destination IP: 192.168.2.5

Timestamp:	79.110.62.187192.168.2.54032497242841753 09/23/22-08:28:35.213011
SID:	2841753
Source Port:	4032
Destination Port:	49724
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.5 - Destination IP: 79.110.62.187

Timestamp:	192.168.2.579.110.62.1874970040322816766 09/23/22-08:26:32.618302
SID:	2816766
Source Port:	49700
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.5 - Destination IP: 79.110.62.187

Timestamp:	192.168.2.579.110.62.1874970140322025019 09/23/22-08:26:38.525077
SID:	2025019
Source Port:	49701
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.5 - Destination IP: 79.110.62.187

Timestamp:	192.168.2.579.110.62.1874970040322025019 09/23/22-08:26:30.256524
SID:	2025019
Source Port:	49700
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.5 - Destination IP: 79.110.62.187

Timestamp:	192.168.2.579.110.62.1874970540322816766 09/23/22-08:27:09.489809
SID:	2816766
Source Port:	49705
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.5 - Destination IP: 79.110.62.187

Timestamp:	192.168.2.579.110.62.1874970740322025019 09/23/22-08:27:25.994008
SID:	2025019
Source Port:	49707
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.5 - Destination IP: 79.110.62.187

Timestamp:	192.168.2.579.110.62.1874971740322025019 09/23/22-08:27:44.656647
SID:	2025019
Source Port:	49717
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.5 - Destination IP: 79.110.62.187

Timestamp:	192.168.2.579.110.62.1874972040322025019 09/23/22-08:27:52.410331
SID:	2025019
Source Port:	49720
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.5 - Destination IP: 79.110.62.187

Timestamp:	192.168.2.579.110.62.1874972340322025019 09/23/22-08:28:02.603420
SID:	2025019
Source Port:	49723
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.5 - Destination IP: 79.110.62.187

Timestamp:	192.168.2.579.110.62.1874970440322025019 09/23/22-08:26:52.369313
SID:	2025019
Source Port:	49704
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.5 - Destination IP: 79.110.62.187

Timestamp:	192.168.2.579.110.62.1874970140322816766 09/23/22-08:26:43.252402
SID:	2816766
Source Port:	49701
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.5 - Destination IP: 79.110.62.187

Timestamp:	192.168.2.579.110.62.1874970640322025019 09/23/22-08:27:16.819903
SID:	2025019
Source Port:	49706
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.5 - Destination IP: 79.110.62.187

Timestamp:	192.168.2.579.110.62.1874971640322025019 09/23/22-08:27:34.502399
SID:	2025019
Source Port:	49716
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.5 - Destination IP: 79.110.62.187

Timestamp:	192.168.2.579.110.62.1874971640322816766 09/23/22-08:27:36.333232
SID:	2816766
Source Port:	49716
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.5 - Destination IP: 79.110.62.187

Timestamp:	192.168.2.579.110.62.1874970640322816766 09/23/22-08:27:18.571667
SID:	2816766
Source Port:	49706
Destination Port:	4032
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: wzkp8c4Z3F.exe	ReversingLabs: Detection: 30%
Source: wzkp8c4Z3F.exe	Virustotal: Detection: 37%			Perma Link

Antivirus detection for URL or domain

Source: jasonbourne.bounceme.net

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: jasonbourne.bounceme.net	Virustotal: Detection: 20%			Perma Link
Source: jasonbourne.bounceme.net	Virustotal: Detection: 20%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

ReversingLabs: Detection: 30%

Yara detected Nanocore RAT

Source: Yara match	File source: 1.2.wzkp8c4Z3F.exe.5a14629.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.wzkp8c4Z3F.exe.3e8b7de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wzkp8c4Z3F.exe.47245e0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wzkp8c4Z3F.exe.47245e0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wzkp8c4Z3F.exe.5a10000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.wzkp8c4Z3F.exe.3e90614.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wzkp8c4Z3F.exe.46efbc0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.wzkp8c4Z3F.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.wzkp8c4Z3F.exe.3e90614.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wzkp8c4Z3F.exe.5a10000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.wzkp8c4Z3F.exe.3e94c3d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wzkp8c4Z3F.exe.4489064.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wzkp8c4Z3F.exe.447cc37.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wzkp8c4Z3F.exe.447780c.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wzkp8c4Z3F.exe.46625a0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.586234147.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.318787004.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.340095078.00000000045CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.579892381.0000000004477000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.431461213.0000000003E49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.431374912.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.427695686.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wzkp8c4Z3F.exe PID: 5336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzkp8c4Z3F.exe PID: 6004, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzkp8c4Z3F.exe PID: 3104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6060, type: MEMORYSTR

Source: 1.2.wzkp8c4Z3F.exe.5a10000.20.unpack	Avira: Label: TR/NanoCore.fadte
Source: 1.0.wzkp8c4Z3F.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: 0000000B.00000002.431461213.0000000003E49000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "9c6d4c8a-884b-4287-8ce0-7edf4a23", "Group": "X File", "Domain1": "jasonbourne.bounceme.net", "Domain2": "127.0.0.1", "Port": 4032, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Source: wzkp8c4Z3F.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: wzkp8c4Z3F.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: wzkp8c4Z3F.exe, 00000001.00000002.595560442.00000000075E0000.00000004.08000000.00040000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.578423356.000000000438F000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: wzkp8c4Z3F.exe, 00000001.00000002.579892381.0000000004477000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.595922296.0000000007610000.00000004.08000000.00040000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.581112990.000000000451D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: wzkp8c4Z3F.exe, 00000001.00000002.579892381.0000000004477000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.582097897.00000000045AD000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.596141792.0000000007630000.00000004.08000000.00040000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.581112990.000000000451D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: wzkp8c4Z3F.exe, 00000001.00000002.578423356.000000000438F000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.581112990.000000000451D000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.595445386.0000000007330000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: wzkp8c4Z3F.exe, 00000001.00000002.579892381.0000000004477000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.582097897.00000000045AD000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.596002221.0000000007620000.00000004.08000000.00040000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.581112990.000000000451D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: wzkp8c4Z3F.exe, 00000001.00000002.595841255.0000000007600000.00000004.08000000.00040000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.578423356.000000000438F000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.581112990.000000000451D000.00000004.00000800.00020000.00000000.sdmp

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49700 -> 79.110.62.187:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49700 -> 79.110.62.187:4032
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49701 -> 79.110.62.187:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49701 -> 79.110.62.187:4032
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 79.110.62.187:4032 -> 192.168.2.5:49701
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49704 -> 79.110.62.187:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49704 -> 79.110.62.187:4032
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 79.110.62.187:4032 -> 192.168.2.5:49704
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49705 -> 79.110.62.187:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49705 -> 79.110.62.187:4032
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49706 -> 79.110.62.187:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49706 -> 79.110.62.187:4032
Source: Traffic	Snort IDS: 2810290 ETPRO TROJAN NanoCore RAT Keepalive Response 1 79.110.62.187:4032 -> 192.168.2.5:49706
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.5:49706 -> 79.110.62.187:4032
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49707 -> 79.110.62.187:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49707 -> 79.110.62.187:4032
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49716 -> 79.110.62.187:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49716 -> 79.110.62.187:4032
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49717 -> 79.110.62.187:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49717 -> 79.110.62.187:4032
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49720 -> 79.110.62.187:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49720 -> 79.110.62.187:4032
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49723 -> 79.110.62.187:4032
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49723 -> 79.110.62.187:4032
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49724 -> 79.110.62.187:4032
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 79.110.62.187:4032 -> 192.168.2.5:49724

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: jasonbourne.bounceme.net
Source: Malware configuration extractor	URLs: 127.0.0.1

Source: Joe Sandbox View

ASN Name: LASOTELFR LASOTELFR

Source: global traffic

TCP traffic: 192.168.2.5:49700 -> 79.110.62.187:4032

Source: wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: wzkp8c4Z3F.exe, 00000001.00000002.579892381.0000000004477000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.582097897.00000000045AD000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.596002221.0000000007620000.00000004.08000000.00040000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.581112990.000000000451D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://google.com
Source: wzkp8c4Z3F.exe, 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: wzkp8c4Z3F.exe, 00000000.00000003.320875715.00000000061C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.agfamonotype.7
Source: wzkp8c4Z3F.exe, 00000000.00000003.305091252.00000000061D3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: wzkp8c4Z3F.exe, 00000000.00000003.306644788.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306739275.00000000061E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: wzkp8c4Z3F.exe, 00000000.00000003.306644788.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306739275.00000000061E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.htmllkA
Source: wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: wzkp8c4Z3F.exe, 00000000.00000003.308440589.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308655841.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308472746.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308509585.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309431649.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308685842.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309363707.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309401237.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308384890.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309507837.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309478215.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309603550.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308722684.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308883091.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308414612.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308800633.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308547019.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308618210.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308758634.00000000061E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: wzkp8c4Z3F.exe, 00000000.00000003.309247140.00000000061E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html.
Source: wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: wzkp8c4Z3F.exe, 00000000.00000003.309325259.00000000061D5000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309581492.00000000061D5000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309384782.00000000061D5000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309491636.00000000061D5000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309448912.00000000061D5000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309157104.00000000061D5000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309226287.00000000061D5000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309265537.00000000061D5000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309355591.00000000061D5000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309106000.00000000061D4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309413300.00000000061D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frer
Source: wzkp8c4Z3F.exe, 00000000.00000003.308781029.00000000061D4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308868619.00000000061D4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308741845.00000000061D4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308706862.00000000061D4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: wzkp8c4Z3F.exe, 00000000.00000003.308722684.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308758634.00000000061E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlp
Source: wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: wzkp8c4Z3F.exe, 00000000.00000003.309478215.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309603550.00000000061E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comals
Source: wzkp8c4Z3F.exe, 00000000.00000003.308758634.00000000061E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comd
Source: wzkp8c4Z3F.exe, 00000000.00000003.308316786.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308440589.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308655841.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308472746.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308509585.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308685842.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308384890.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308722684.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308883091.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308414612.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308800633.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308547019.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308618210.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308758634.00000000061E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comditam
Source: wzkp8c4Z3F.exe, 00000000.00000003.308440589.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308655841.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308472746.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308509585.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308685842.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308384890.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308414612.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308547019.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308618210.00000000061E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comdsed
Source: wzkp8c4Z3F.exe, 00000000.00000003.308440589.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308655841.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308472746.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308509585.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308685842.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308722684.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308883091.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308414612.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308800633.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308547019.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308618210.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308758634.00000000061E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.come.com
Source: wzkp8c4Z3F.exe, 00000000.00000003.309271343.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309333675.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309247140.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309431649.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309126522.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309363707.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309401237.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309507837.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309478215.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309603550.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309176051.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308883091.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308800633.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308758634.00000000061E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comgrita
Source: wzkp8c4Z3F.exe, 00000000.00000003.320875715.00000000061C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comgrito
Source: wzkp8c4Z3F.exe, 00000000.00000003.320875715.00000000061C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comice
Source: wzkp8c4Z3F.exe, 00000000.00000003.309603550.00000000061E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comitu
Source: wzkp8c4Z3F.exe, 00000000.00000003.308883091.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308800633.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308758634.00000000061E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comkz
Source: wzkp8c4Z3F.exe, 00000000.00000003.320875715.00000000061C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.como5
Source: wzkp8c4Z3F.exe, 00000000.00000003.308722684.00000000061E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comonyd5
Source: wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: wzkp8c4Z3F.exe, 00000000.00000003.304054048.00000000061C2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: wzkp8c4Z3F.exe, 00000000.00000003.304054048.00000000061C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnTF
Source: wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: wzkp8c4Z3F.exe, 00000000.00000003.310369108.00000000061E0000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.310729246.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.310621004.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.310507059.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.310541533.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.310779336.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: wzkp8c4Z3F.exe, 00000000.00000003.307742871.00000000061CF000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307785731.00000000061CF000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307699640.00000000061D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.itcfonts.
Source: wzkp8c4Z3F.exe, 00000000.00000003.305837903.00000000061E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: wzkp8c4Z3F.exe, 00000000.00000003.306412625.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307217947.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306127448.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306109408.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306992321.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307093650.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306922624.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306275167.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307141741.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307022088.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306777523.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306816461.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306519677.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.305932536.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306347263.00000000061D8000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306644788.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306739275.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.305890213.00000000061DF000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307249023.00000000061E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/5
Source: wzkp8c4Z3F.exe, 00000000.00000003.306412625.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306055723.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306127448.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306109408.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306275167.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306519677.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306347263.00000000061D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/H
Source: wzkp8c4Z3F.exe, 00000000.00000003.306055723.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306127448.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306109408.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306275167.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.305932536.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.305890213.00000000061DF000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.305837903.00000000061E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Q
Source: wzkp8c4Z3F.exe, 00000000.00000003.306127448.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306109408.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306275167.00000000061E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
Source: wzkp8c4Z3F.exe, 00000000.00000003.306412625.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306055723.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307217947.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306127448.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306109408.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306992321.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307093650.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306922624.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306275167.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307141741.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307022088.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306777523.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306816461.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306519677.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.305932536.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306347263.00000000061D8000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306644788.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306739275.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.305890213.00000000061DF000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307249023.00000000061E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0r1
Source: wzkp8c4Z3F.exe, 00000000.00000003.305932536.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.305890213.00000000061DF000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.305837903.00000000061E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0r:
Source: wzkp8c4Z3F.exe, 00000000.00000003.306412625.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306519677.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306347263.00000000061D8000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306644788.00000000061E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0x
Source: wzkp8c4Z3F.exe, 00000000.00000003.305837903.00000000061E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/en-u
Source: wzkp8c4Z3F.exe, 00000000.00000003.306412625.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306055723.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306127448.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306109408.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306275167.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306519677.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.305932536.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306347263.00000000061D8000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306644788.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.305890213.00000000061DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: wzkp8c4Z3F.exe, 00000000.00000003.306055723.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.305837903.00000000061E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/5
Source: wzkp8c4Z3F.exe, 00000000.00000003.306412625.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306055723.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307217947.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306127448.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306109408.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307469242.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306992321.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307093650.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306922624.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308002992.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307299426.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307348154.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307721792.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307546287.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307963280.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306275167.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307141741.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307022088.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306777523.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307761958.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306816461.00000000061E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/C
Source: wzkp8c4Z3F.exe, 00000000.00000003.306412625.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306922624.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306777523.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306816461.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306519677.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306347263.00000000061D8000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306644788.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306739275.00000000061E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Q
Source: wzkp8c4Z3F.exe, 00000000.00000003.306412625.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306055723.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306127448.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306109408.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306275167.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306519677.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306347263.00000000061D8000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306644788.00000000061E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/z
Source: wzkp8c4Z3F.exe, 00000000.00000003.306412625.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307217947.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307469242.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306992321.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307093650.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306922624.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307299426.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307348154.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307721792.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307546287.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307141741.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307022088.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306777523.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307761958.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306816461.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306519677.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307816382.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307667530.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306347263.00000000061D8000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306644788.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306739275.00000000061E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/liqu
Source: wzkp8c4Z3F.exe, 00000000.00000003.306412625.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306127448.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306109408.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306992321.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307093650.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306922624.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306275167.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307022088.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306777523.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306816461.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306519677.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306347263.00000000061D8000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306644788.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306739275.00000000061E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/m
Source: wzkp8c4Z3F.exe, 00000000.00000003.301281997.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: wzkp8c4Z3F.exe, 00000000.00000003.306621636.00000000061D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com-e0$
Source: wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown

DNS traffic detected: queries for: jasonbourne.bounceme.net

Source: wzkp8c4Z3F.exe, 00000001.00000002.579892381.0000000004477000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 1.2.wzkp8c4Z3F.exe.5a14629.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.wzkp8c4Z3F.exe.3e8b7de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wzkp8c4Z3F.exe.47245e0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wzkp8c4Z3F.exe.47245e0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wzkp8c4Z3F.exe.5a10000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.wzkp8c4Z3F.exe.3e90614.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wzkp8c4Z3F.exe.46efbc0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.wzkp8c4Z3F.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.wzkp8c4Z3F.exe.3e90614.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wzkp8c4Z3F.exe.5a10000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.wzkp8c4Z3F.exe.3e94c3d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wzkp8c4Z3F.exe.4489064.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wzkp8c4Z3F.exe.447cc37.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wzkp8c4Z3F.exe.447780c.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wzkp8c4Z3F.exe.46625a0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.586234147.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.318787004.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.340095078.00000000045CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.579892381.0000000004477000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.431461213.0000000003E49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.431374912.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.427695686.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wzkp8c4Z3F.exe PID: 5336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzkp8c4Z3F.exe PID: 6004, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzkp8c4Z3F.exe PID: 3104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6060, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.wzkp8c4Z3F.exe.3354670.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.3354670.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.3354670.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 11.2.wzkp8c4Z3F.exe.2ea9588.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.wzkp8c4Z3F.exe.2ea9588.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 11.2.wzkp8c4Z3F.exe.2ea9588.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.7330000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.7330000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.7330000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.5a14629.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.5a14629.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.5a14629.21.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.7780000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.7780000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.7780000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 11.2.wzkp8c4Z3F.exe.3e8b7de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.wzkp8c4Z3F.exe.3e8b7de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 11.2.wzkp8c4Z3F.exe.3e8b7de.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.wzkp8c4Z3F.exe.3e8b7de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.447cc37.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.447cc37.12.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.447cc37.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.42c9930.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.42c9930.5.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.42c9930.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.7630000.30.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.7630000.30.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.7630000.30.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.wzkp8c4Z3F.exe.47245e0.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.wzkp8c4Z3F.exe.47245e0.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.wzkp8c4Z3F.exe.47245e0.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.wzkp8c4Z3F.exe.47245e0.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.4609b1f.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.4609b1f.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.4609b1f.17.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.wzkp8c4Z3F.exe.4609b1f.17.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.443ef21.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.443ef21.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.443ef21.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.77b4c9f.33.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.77b4c9f.33.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.77b4c9f.33.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.wzkp8c4Z3F.exe.47245e0.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.wzkp8c4Z3F.exe.47245e0.10.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.wzkp8c4Z3F.exe.47245e0.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.wzkp8c4Z3F.exe.47245e0.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.5c70000.23.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.4620d7e.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.5c70000.23.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.4620d7e.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.4620d7e.16.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.5c70000.23.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.4523845.14.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.4523845.14.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.4523845.14.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.4609b1f.17.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.4609b1f.17.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.4609b1f.17.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.7a70000.36.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.7a70000.36.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.7a70000.36.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.444b155.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.444b155.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.444b155.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.461294e.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.461294e.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.461294e.18.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.77a0000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.77a0000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.77a0000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.7610000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.7610000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.7610000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.5a10000.20.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.5a10000.20.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.5a10000.20.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.4620d7e.16.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.4620d7e.16.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.4620d7e.16.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.5c80000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.5c80000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.5c80000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 11.2.wzkp8c4Z3F.exe.3e90614.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.wzkp8c4Z3F.exe.3e90614.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 11.2.wzkp8c4Z3F.exe.3e90614.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.4489064.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.4489064.10.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.4489064.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.5c70000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.5c70000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.5c70000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.75e0000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.75e0000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.75e0000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.77be8a4.35.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.77be8a4.35.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.77be8a4.35.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.5c80000.24.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.5c80000.24.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.5c80000.24.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.wzkp8c4Z3F.exe.46efbc0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.wzkp8c4Z3F.exe.46efbc0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.wzkp8c4Z3F.exe.46efbc0.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.wzkp8c4Z3F.exe.46efbc0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.75e0000.26.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.75e0000.26.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.75e0000.26.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.7600000.27.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.7600000.27.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.7600000.27.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.77a0000.32.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.77a0000.32.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.77a0000.32.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.77b0000.34.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.77b0000.34.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.77b0000.34.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.0.wzkp8c4Z3F.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.0.wzkp8c4Z3F.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.0.wzkp8c4Z3F.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.0.wzkp8c4Z3F.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.3336334.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.3336334.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.3336334.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.7600000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.7600000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.7600000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 11.2.wzkp8c4Z3F.exe.3e90614.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.wzkp8c4Z3F.exe.3e90614.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 11.2.wzkp8c4Z3F.exe.3e90614.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.4523845.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.4523845.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.4523845.14.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.wzkp8c4Z3F.exe.4523845.14.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.444b155.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.444b155.8.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.444b155.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.42d81d4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.42d81d4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.42d81d4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.7630000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.7630000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.7630000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.443ef21.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.443ef21.9.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.443ef21.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.7620000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.7620000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.7620000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.42ce5cf.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.42ce5cf.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.42ce5cf.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.5a00000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.5a00000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.5a00000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.7780000.31.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.7780000.31.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.7780000.31.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.7a70000.36.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.7a70000.36.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.7a70000.36.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.5a10000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.5a10000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.5a10000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 11.2.wzkp8c4Z3F.exe.3e94c3d.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.wzkp8c4Z3F.exe.3e94c3d.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 11.2.wzkp8c4Z3F.exe.3e94c3d.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.3354670.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.3354670.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.3354670.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.wzkp8c4Z3F.exe.3354670.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 12.2.dhcpmon.exe.2c89684.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.2.dhcpmon.exe.2c89684.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.2.dhcpmon.exe.2c89684.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.461294e.18.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.461294e.18.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.461294e.18.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.445f782.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.445f782.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.445f782.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.42c9930.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.42c9930.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.42c9930.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.4489064.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.4489064.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.4489064.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.wzkp8c4Z3F.exe.4489064.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.77b0000.34.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.77b0000.34.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.77b0000.34.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.7620000.29.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.7620000.29.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.7620000.29.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.451de19.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.451de19.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.451de19.13.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.wzkp8c4Z3F.exe.451de19.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.447cc37.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.447cc37.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.447cc37.12.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.wzkp8c4Z3F.exe.447cc37.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.452a673.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.447780c.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.3310ac0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.3336334.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.wzkp8c4Z3F.exe.3310ac0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.3310ac0.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.wzkp8c4Z3F.exe.3310ac0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.452a673.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.452a673.15.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.wzkp8c4Z3F.exe.452a673.15.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.3336334.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.3336334.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.wzkp8c4Z3F.exe.3336334.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 1.2.wzkp8c4Z3F.exe.447780c.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.wzkp8c4Z3F.exe.447780c.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.wzkp8c4Z3F.exe.447780c.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.wzkp8c4Z3F.exe.46625a0.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.wzkp8c4Z3F.exe.46625a0.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.wzkp8c4Z3F.exe.46625a0.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.wzkp8c4Z3F.exe.46625a0.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.wzkp8c4Z3F.exe.46625a0.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.586234147.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.586234147.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000001.00000002.586234147.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000000.318787004.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000000.318787004.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000000.318787004.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.587604607.0000000005C80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.587604607.0000000005C80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000001.00000002.587604607.0000000005C80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.597276168.0000000007A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.597276168.0000000007A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000001.00000002.597276168.0000000007A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.595560442.00000000075E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.595560442.00000000075E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000001.00000002.595560442.00000000075E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.596333698.0000000007780000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.596333698.0000000007780000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000001.00000002.596333698.0000000007780000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.340095078.00000000045CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.340095078.00000000045CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.340095078.00000000045CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.595841255.0000000007600000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.595841255.0000000007600000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000001.00000002.595841255.0000000007600000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.579892381.0000000004477000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.579892381.0000000004477000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.582097897.00000000045AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.582097897.00000000045AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.578423356.000000000438F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.596002221.0000000007620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.596002221.0000000007620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000001.00000002.596002221.0000000007620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.595922296.0000000007610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.595922296.0000000007610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000001.00000002.595922296.0000000007610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.596141792.0000000007630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.596141792.0000000007630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000001.00000002.596141792.0000000007630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000003.358154679.000000000172E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000B.00000002.431461213.0000000003E49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.431461213.0000000003E49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.596606327.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.596606327.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000001.00000002.596606327.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.577659680.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.581112990.000000000451D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.581112990.000000000451D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.596732046.00000000077B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.596732046.00000000077B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000001.00000002.596732046.00000000077B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000C.00000002.431374912.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.431374912.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.586144489.0000000005A00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.586144489.0000000005A00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000001.00000002.586144489.0000000005A00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000B.00000002.427695686.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.427695686.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.587474125.0000000005C70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.587474125.0000000005C70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000001.00000002.587474125.0000000005C70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000001.00000002.595445386.0000000007330000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.595445386.0000000007330000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000001.00000002.595445386.0000000007330000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: wzkp8c4Z3F.exe PID: 5336, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: wzkp8c4Z3F.exe PID: 5336, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: wzkp8c4Z3F.exe PID: 5336, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: wzkp8c4Z3F.exe PID: 6004, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: wzkp8c4Z3F.exe PID: 6004, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: wzkp8c4Z3F.exe PID: 6004, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: wzkp8c4Z3F.exe PID: 3104, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: wzkp8c4Z3F.exe PID: 3104, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: dhcpmon.exe PID: 6060, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 6060, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown

Source: wzkp8c4Z3F.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1.2.wzkp8c4Z3F.exe.3354670.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.3354670.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.3354670.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.3354670.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 11.2.wzkp8c4Z3F.exe.2ea9588.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.wzkp8c4Z3F.exe.2ea9588.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.wzkp8c4Z3F.exe.2ea9588.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 11.2.wzkp8c4Z3F.exe.2ea9588.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.7330000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.7330000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.7330000.25.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.7330000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.5a14629.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.5a14629.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.5a14629.21.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.5a14629.21.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.7780000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.7780000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.7780000.31.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.7780000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 11.2.wzkp8c4Z3F.exe.3e8b7de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.wzkp8c4Z3F.exe.3e8b7de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.wzkp8c4Z3F.exe.3e8b7de.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 11.2.wzkp8c4Z3F.exe.3e8b7de.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.wzkp8c4Z3F.exe.3e8b7de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.447cc37.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.447cc37.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.447cc37.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.447cc37.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.42c9930.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.42c9930.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.42c9930.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.42c9930.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.7630000.30.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.7630000.30.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.7630000.30.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.7630000.30.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.wzkp8c4Z3F.exe.47245e0.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.wzkp8c4Z3F.exe.47245e0.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.wzkp8c4Z3F.exe.47245e0.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.wzkp8c4Z3F.exe.47245e0.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.4609b1f.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.4609b1f.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.4609b1f.17.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.4609b1f.17.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.wzkp8c4Z3F.exe.4609b1f.17.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.443ef21.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.443ef21.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.443ef21.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.443ef21.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.77b4c9f.33.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.77b4c9f.33.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.77b4c9f.33.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.77b4c9f.33.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.wzkp8c4Z3F.exe.47245e0.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.wzkp8c4Z3F.exe.47245e0.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.wzkp8c4Z3F.exe.47245e0.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.wzkp8c4Z3F.exe.47245e0.10.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.wzkp8c4Z3F.exe.47245e0.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.5c70000.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.5c70000.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.4620d7e.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.4620d7e.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.5c70000.23.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.4620d7e.16.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.4620d7e.16.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.5c70000.23.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.4523845.14.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.4523845.14.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.4523845.14.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.4523845.14.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.4609b1f.17.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.4609b1f.17.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.4609b1f.17.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.4609b1f.17.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.7a70000.36.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.7a70000.36.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.7a70000.36.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.7a70000.36.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.444b155.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.444b155.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.444b155.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.444b155.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.461294e.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.461294e.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.461294e.18.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.461294e.18.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.77a0000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.77a0000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.77a0000.32.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.77a0000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.7610000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.7610000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.7610000.28.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.7610000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.5a10000.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.5a10000.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.5a10000.20.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.5a10000.20.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.4620d7e.16.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.4620d7e.16.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.4620d7e.16.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.4620d7e.16.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.5c80000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.5c80000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.5c80000.24.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.5c80000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 11.2.wzkp8c4Z3F.exe.3e90614.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.wzkp8c4Z3F.exe.3e90614.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.wzkp8c4Z3F.exe.3e90614.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 11.2.wzkp8c4Z3F.exe.3e90614.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.4489064.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.4489064.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.4489064.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.4489064.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.5c70000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.5c70000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.5c70000.23.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.5c70000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.75e0000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.75e0000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.75e0000.26.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.75e0000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.77be8a4.35.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.77be8a4.35.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.77be8a4.35.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.77be8a4.35.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.5c80000.24.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.5c80000.24.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.5c80000.24.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.5c80000.24.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.wzkp8c4Z3F.exe.46efbc0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.wzkp8c4Z3F.exe.46efbc0.11.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.wzkp8c4Z3F.exe.46efbc0.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.wzkp8c4Z3F.exe.46efbc0.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.75e0000.26.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.75e0000.26.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.75e0000.26.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.75e0000.26.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.7600000.27.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.7600000.27.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.7600000.27.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.7600000.27.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.77a0000.32.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.77a0000.32.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.77a0000.32.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.77a0000.32.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.77b0000.34.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.77b0000.34.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.77b0000.34.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.77b0000.34.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.0.wzkp8c4Z3F.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.wzkp8c4Z3F.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.0.wzkp8c4Z3F.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.0.wzkp8c4Z3F.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.0.wzkp8c4Z3F.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.3336334.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.3336334.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.3336334.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.3336334.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.7600000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.7600000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.7600000.27.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.7600000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 11.2.wzkp8c4Z3F.exe.3e90614.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.wzkp8c4Z3F.exe.3e90614.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.wzkp8c4Z3F.exe.3e90614.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 11.2.wzkp8c4Z3F.exe.3e90614.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.4523845.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.4523845.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.4523845.14.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.4523845.14.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.wzkp8c4Z3F.exe.4523845.14.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.444b155.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.444b155.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.444b155.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.444b155.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.42d81d4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.42d81d4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.42d81d4.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.42d81d4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.7630000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.7630000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.7630000.30.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.7630000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.443ef21.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.443ef21.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.443ef21.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.443ef21.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.7620000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.7620000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.7620000.29.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.7620000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.42ce5cf.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.42ce5cf.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.42ce5cf.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.42ce5cf.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.5a00000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.5a00000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.5a00000.19.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.5a00000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.7780000.31.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.7780000.31.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.7780000.31.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.7780000.31.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.7a70000.36.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.7a70000.36.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.7a70000.36.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.7a70000.36.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.5a10000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.5a10000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.5a10000.20.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.5a10000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 11.2.wzkp8c4Z3F.exe.3e94c3d.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.wzkp8c4Z3F.exe.3e94c3d.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.wzkp8c4Z3F.exe.3e94c3d.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 11.2.wzkp8c4Z3F.exe.3e94c3d.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.3354670.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.3354670.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.3354670.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.wzkp8c4Z3F.exe.3354670.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 12.2.dhcpmon.exe.2c89684.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.dhcpmon.exe.2c89684.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.dhcpmon.exe.2c89684.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.2.dhcpmon.exe.2c89684.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.461294e.18.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.461294e.18.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.461294e.18.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.461294e.18.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.445f782.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.445f782.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.445f782.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.445f782.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.42c9930.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.42c9930.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.42c9930.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.42c9930.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.4489064.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.4489064.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.4489064.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.4489064.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.wzkp8c4Z3F.exe.4489064.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.77b0000.34.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.77b0000.34.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.77b0000.34.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.77b0000.34.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.7620000.29.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.7620000.29.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.7620000.29.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.7620000.29.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.451de19.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.451de19.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.451de19.13.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.451de19.13.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.wzkp8c4Z3F.exe.451de19.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.447cc37.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.447cc37.12.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.447cc37.12.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.wzkp8c4Z3F.exe.447cc37.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.452a673.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.452a673.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.447780c.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.3310ac0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.3336334.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.wzkp8c4Z3F.exe.3310ac0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.3310ac0.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.wzkp8c4Z3F.exe.3310ac0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.452a673.15.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.452a673.15.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.wzkp8c4Z3F.exe.452a673.15.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.3336334.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.3336334.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.wzkp8c4Z3F.exe.3336334.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 1.2.wzkp8c4Z3F.exe.447780c.11.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.wzkp8c4Z3F.exe.447780c.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.wzkp8c4Z3F.exe.447780c.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.wzkp8c4Z3F.exe.46625a0.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.wzkp8c4Z3F.exe.46625a0.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.wzkp8c4Z3F.exe.46625a0.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.wzkp8c4Z3F.exe.46625a0.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.wzkp8c4Z3F.exe.46625a0.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000002.586234147.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.586234147.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.586234147.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000001.00000002.586234147.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000000.318787004.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000000.318787004.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000000.318787004.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000002.587604607.0000000005C80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.587604607.0000000005C80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.587604607.0000000005C80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000001.00000002.587604607.0000000005C80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000002.597276168.0000000007A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.597276168.0000000007A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.597276168.0000000007A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000001.00000002.597276168.0000000007A70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000002.595560442.00000000075E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.595560442.00000000075E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.595560442.00000000075E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000001.00000002.595560442.00000000075E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000002.596333698.0000000007780000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.596333698.0000000007780000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.596333698.0000000007780000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000001.00000002.596333698.0000000007780000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.340095078.00000000045CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.340095078.00000000045CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.340095078.00000000045CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000002.595841255.0000000007600000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.595841255.0000000007600000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.595841255.0000000007600000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000001.00000002.595841255.0000000007600000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000002.579892381.0000000004477000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.579892381.0000000004477000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000002.582097897.00000000045AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.582097897.00000000045AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000002.578423356.000000000438F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000002.596002221.0000000007620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.596002221.0000000007620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.596002221.0000000007620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000001.00000002.596002221.0000000007620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000002.595922296.0000000007610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.595922296.0000000007610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.595922296.0000000007610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000001.00000002.595922296.0000000007610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000002.596141792.0000000007630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.596141792.0000000007630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.596141792.0000000007630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000001.00000002.596141792.0000000007630000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000003.358154679.000000000172E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000B.00000002.431461213.0000000003E49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.431461213.0000000003E49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000002.596606327.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.596606327.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.596606327.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000001.00000002.596606327.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000002.577659680.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000002.581112990.000000000451D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.581112990.000000000451D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000002.596732046.00000000077B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.596732046.00000000077B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.596732046.00000000077B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000001.00000002.596732046.00000000077B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000C.00000002.431374912.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.431374912.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000002.586144489.0000000005A00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.586144489.0000000005A00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.586144489.0000000005A00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000001.00000002.586144489.0000000005A00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000B.00000002.427695686.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.427695686.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000002.587474125.0000000005C70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.587474125.0000000005C70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.587474125.0000000005C70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000001.00000002.587474125.0000000005C70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000002.595445386.0000000007330000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.595445386.0000000007330000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.595445386.0000000007330000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000001.00000002.595445386.0000000007330000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: wzkp8c4Z3F.exe PID: 5336, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: wzkp8c4Z3F.exe PID: 5336, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: wzkp8c4Z3F.exe PID: 5336, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: wzkp8c4Z3F.exe PID: 6004, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: wzkp8c4Z3F.exe PID: 6004, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: wzkp8c4Z3F.exe PID: 6004, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: wzkp8c4Z3F.exe PID: 3104, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: wzkp8c4Z3F.exe PID: 3104, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: dhcpmon.exe PID: 6060, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 6060, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Code function: 0_2_016EC174
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Code function: 0_2_016EE76A
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Code function: 0_2_016EE778
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Code function: 1_2_0160E471
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Code function: 1_2_0160E480
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Code function: 1_2_0160BBD4
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Code function: 1_2_0575F5F8
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Code function: 1_2_05759788
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Code function: 1_2_0575A610

Source: wzkp8c4Z3F.exe, 00000000.00000002.340095078.00000000045CD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMetal.dllJ vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000000.00000002.324065690.000000000342B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWebName.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000000.00000000.298530449.0000000000EDB000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNBGh.exeF vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000000.00000002.325862323.0000000004371000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMetal.dllJ vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000000.00000002.323461865.0000000003371000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWebName.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000000.00000002.346397404.0000000007A30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMetal.dllJ vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000000.00000002.323991348.0000000003422000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWebName.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.595560442.00000000075E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.596333698.0000000007780000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.579892381.0000000004477000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.579892381.0000000004477000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.579892381.0000000004477000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.579892381.0000000004477000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.579892381.0000000004477000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.579892381.0000000004477000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.579892381.0000000004477000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.579892381.0000000004477000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.579892381.0000000004477000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.579892381.0000000004477000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.579892381.0000000004477000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.579892381.0000000004477000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.579892381.0000000004477000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.596686089.00000000077A8000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.595841255.0000000007600000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.582097897.00000000045AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.582097897.00000000045AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.582097897.00000000045AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.582097897.00000000045AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.582097897.00000000045AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.582097897.00000000045AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.582097897.00000000045AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.582097897.00000000045AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.578423356.000000000438F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.578423356.000000000438F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.578423356.000000000438F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.578423356.000000000438F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.578423356.000000000438F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.596002221.0000000007620000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000003.326034962.00000000016E2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNBGh.exeF vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.597364841.0000000007A7E000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.595922296.0000000007610000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.596141792.0000000007630000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000003.358154679.000000000172E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.581112990.000000000451D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.581112990.000000000451D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.581112990.000000000451D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.581112990.000000000451D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.581112990.000000000451D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.581112990.000000000451D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.581112990.000000000451D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.581112990.000000000451D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.581112990.000000000451D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.581112990.000000000451D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.581112990.000000000451D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.581112990.000000000451D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.566272214.000000000165A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.597016385.00000000077D8000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.596732046.00000000077B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.596732046.00000000077B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.577659680.00000000042C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.577659680.00000000042C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.577659680.00000000042C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000001.00000002.595445386.0000000007330000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000005.00000002.388854161.0000000003FF5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMetal.dllJ vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000005.00000002.388280818.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWebName.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000005.00000002.387123617.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWebName.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 00000005.00000002.389150719.000000000418F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMetal.dllJ vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 0000000B.00000002.431461213.0000000003E49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 0000000B.00000002.431461213.0000000003E49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 0000000B.00000002.431461213.0000000003E49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 0000000B.00000002.427695686.0000000002E41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 0000000B.00000002.427695686.0000000002E41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe, 0000000B.00000002.424882627.00000000011D9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs wzkp8c4Z3F.exe
Source: wzkp8c4Z3F.exe	Binary or memory string: OriginalFilenameNBGh.exeF vs wzkp8c4Z3F.exe

Source: wzkp8c4Z3F.exe	ReversingLabs: Detection: 30%
Source: wzkp8c4Z3F.exe	Virustotal: Detection: 37%

Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe

File read: C:\Users\user\Desktop\wzkp8c4Z3F.exe

Jump to behavior

Source: wzkp8c4Z3F.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\wzkp8c4Z3F.exe "C:\Users\user\Desktop\wzkp8c4Z3F.exe"
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process created: C:\Users\user\Desktop\wzkp8c4Z3F.exe C:\Users\user\Desktop\wzkp8c4Z3F.exe
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpDBD9.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\wzkp8c4Z3F.exe C:\Users\user\Desktop\wzkp8c4Z3F.exe 0
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpF6C5.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process created: C:\Users\user\Desktop\wzkp8c4Z3F.exe C:\Users\user\Desktop\wzkp8c4Z3F.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process created: C:\Users\user\Desktop\wzkp8c4Z3F.exe C:\Users\user\Desktop\wzkp8c4Z3F.exe
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpDBD9.tmp
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpF6C5.tmp
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process created: C:\Users\user\Desktop\wzkp8c4Z3F.exe C:\Users\user\Desktop\wzkp8c4Z3F.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wzkp8c4Z3F.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe

File created: C:\Users\user\AppData\Local\Temp\tmpDBD9.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@18/12@12/1

Source: wzkp8c4Z3F.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4484:120:WilError_01
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{9c6d4c8a-884b-4287-8ce0-7edf4a237b07}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5248:120:WilError_01

Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: 1.0.wzkp8c4Z3F.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.0.wzkp8c4Z3F.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.0.wzkp8c4Z3F.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: wzkp8c4Z3F.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: wzkp8c4Z3F.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: wzkp8c4Z3F.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: wzkp8c4Z3F.exe, 00000001.00000002.595560442.00000000075E0000.00000004.08000000.00040000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.578423356.000000000438F000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: wzkp8c4Z3F.exe, 00000001.00000002.579892381.0000000004477000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.595922296.0000000007610000.00000004.08000000.00040000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.581112990.000000000451D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: wzkp8c4Z3F.exe, 00000001.00000002.579892381.0000000004477000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.582097897.00000000045AD000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.596141792.0000000007630000.00000004.08000000.00040000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.581112990.000000000451D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: wzkp8c4Z3F.exe, 00000001.00000002.578423356.000000000438F000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.581112990.000000000451D000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.595445386.0000000007330000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: wzkp8c4Z3F.exe, 00000001.00000002.579892381.0000000004477000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.582097897.00000000045AD000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.596002221.0000000007620000.00000004.08000000.00040000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.581112990.000000000451D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: wzkp8c4Z3F.exe, 00000001.00000002.595841255.0000000007600000.00000004.08000000.00040000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.578423356.000000000438F000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.581112990.000000000451D000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: wzkp8c4Z3F.exe, order_management_system.cs	.Net Code: ResourceTemplateDefine System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.wzkp8c4Z3F.exe.e10000.0.unpack, order_management_system.cs	.Net Code: ResourceTemplateDefine System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: dhcpmon.exe.1.dr, order_management_system.cs	.Net Code: ResourceTemplateDefine System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.wzkp8c4Z3F.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.wzkp8c4Z3F.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Code function: 1_2_057569F8 pushad ; retf
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Code function: 1_2_05756A00 push esp; retf
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Code function: 1_2_0575B5E0 push eax; retf

Source: wzkp8c4Z3F.exe

Static PE information: 0x9CFBFE9A [Tue Jun 17 08:06:50 2053 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 6.928377089378491
Source: initial sample	Static PE information: section name: .text entropy: 6.928377089378491

Source: 1.0.wzkp8c4Z3F.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 1.0.wzkp8c4Z3F.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe

File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpDBD9.tmp

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe

File opened: C:\Users\user\Desktop\wzkp8c4Z3F.exe:Zone.Identifier read attributes | delete

Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.323700911.00000000033BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.398660819.000000000344F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wzkp8c4Z3F.exe PID: 5336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 2004, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: wzkp8c4Z3F.exe, 00000000.00000002.323700911.00000000033BF000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000005.00000002.387434116.0000000002E63000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000008.00000002.398660819.000000000344F000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000009.00000002.412102216.0000000003383000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: wzkp8c4Z3F.exe, 00000000.00000002.323700911.00000000033BF000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000008.00000002.398660819.000000000344F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe TID: 4584	Thread sleep time: -41226s >= -30000s
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe TID: 3804	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe TID: 4348	Thread sleep time: -11990383647911201s >= -30000s
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe TID: 4180	Thread sleep time: -41226s >= -30000s
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe TID: 2764	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1716	Thread sleep time: -41226s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5488	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5460	Thread sleep time: -41226s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5300	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe TID: 3388	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4508	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4976	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe

Window / User API: threadDelayed 9536

Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Thread delayed: delay time: 41226
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Thread delayed: delay time: 41226
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 41226
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 41226
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: dhcpmon.exe, 00000008.00000002.398660819.000000000344F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II6VirtualBox Graphics Adapter2VM Additions S3 Trio32/64
Source: dhcpmon.exe, 00000008.00000002.398660819.000000000344F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: wzkp8c4Z3F.exe, 00000001.00000002.567303598.00000000016EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllFS
Source: dhcpmon.exe, 00000009.00000002.412102216.0000000003383000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE6HARDWARE\Description\System VideoBiosVersion
Source: dhcpmon.exe, 00000009.00000002.412102216.0000000003383000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware"SystemBiosVersion
Source: dhcpmon.exe, 00000008.00000002.398660819.000000000344F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\Settings$Device DescriptionTSOFTWARE\Oracle\VirtualBox Guest AdditionsDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Memory written: C:\Users\user\Desktop\wzkp8c4Z3F.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Memory written: C:\Users\user\Desktop\wzkp8c4Z3F.exe base: 400000 value starts with: 4D5A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process created: C:\Users\user\Desktop\wzkp8c4Z3F.exe C:\Users\user\Desktop\wzkp8c4Z3F.exe
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpDBD9.tmp
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpF6C5.tmp
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Process created: C:\Users\user\Desktop\wzkp8c4Z3F.exe C:\Users\user\Desktop\wzkp8c4Z3F.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Source: wzkp8c4Z3F.exe, 00000001.00000002.574946686.000000000360D000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.576473242.00000000036FB000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.577530652.000000000378F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager(
Source: wzkp8c4Z3F.exe, 00000001.00000002.572141846.0000000003479000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.576840170.0000000003731000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.572098535.0000000003475000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: wzkp8c4Z3F.exe, 00000001.00000002.597239292.000000000792E000.00000004.00000010.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.588072873.000000000675B000.00000004.00000010.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.598697374.000000000932D000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Managerram Manager
Source: wzkp8c4Z3F.exe, 00000001.00000002.573652167.0000000003563000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager4
Source: wzkp8c4Z3F.exe, 00000001.00000002.597698670.00000000083DB000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Users\user\Desktop\wzkp8c4Z3F.exe VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Users\user\Desktop\wzkp8c4Z3F.exe VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Users\user\Desktop\wzkp8c4Z3F.exe VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Users\user\Desktop\wzkp8c4Z3F.exe VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\wzkp8c4Z3F.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: 1.2.wzkp8c4Z3F.exe.5a14629.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.wzkp8c4Z3F.exe.3e8b7de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wzkp8c4Z3F.exe.47245e0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wzkp8c4Z3F.exe.47245e0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wzkp8c4Z3F.exe.5a10000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.wzkp8c4Z3F.exe.3e90614.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wzkp8c4Z3F.exe.46efbc0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.wzkp8c4Z3F.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.wzkp8c4Z3F.exe.3e90614.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wzkp8c4Z3F.exe.5a10000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.wzkp8c4Z3F.exe.3e94c3d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wzkp8c4Z3F.exe.4489064.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wzkp8c4Z3F.exe.447cc37.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wzkp8c4Z3F.exe.447780c.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wzkp8c4Z3F.exe.46625a0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.586234147.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.318787004.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.340095078.00000000045CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.579892381.0000000004477000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.431461213.0000000003E49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.431374912.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.427695686.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wzkp8c4Z3F.exe PID: 5336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzkp8c4Z3F.exe PID: 6004, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzkp8c4Z3F.exe PID: 3104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6060, type: MEMORYSTR

Remote Access Functionality

Detected Nanocore Rat

Source: wzkp8c4Z3F.exe, 00000000.00000002.340095078.00000000045CD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: wzkp8c4Z3F.exe, 00000001.00000000.318787004.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: wzkp8c4Z3F.exe, 00000001.00000002.597276168.0000000007A70000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: wzkp8c4Z3F.exe, 00000001.00000002.595560442.00000000075E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: wzkp8c4Z3F.exe, 00000001.00000002.596333698.0000000007780000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: wzkp8c4Z3F.exe, 00000001.00000002.579892381.0000000004477000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: wzkp8c4Z3F.exe, 00000001.00000002.579892381.0000000004477000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: wzkp8c4Z3F.exe, 00000001.00000002.579892381.0000000004477000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: wzkp8c4Z3F.exe, 00000001.00000002.579892381.0000000004477000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: wzkp8c4Z3F.exe, 00000001.00000002.595841255.0000000007600000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: wzkp8c4Z3F.exe, 00000001.00000002.595841255.0000000007600000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: wzkp8c4Z3F.exe, 00000001.00000002.582097897.00000000045AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: wzkp8c4Z3F.exe, 00000001.00000002.582097897.00000000045AD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: wzkp8c4Z3F.exe, 00000001.00000002.578423356.000000000438F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: wzkp8c4Z3F.exe, 00000001.00000002.578423356.000000000438F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: wzkp8c4Z3F.exe, 00000001.00000002.578423356.000000000438F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: wzkp8c4Z3F.exe, 00000001.00000002.596002221.0000000007620000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: wzkp8c4Z3F.exe, 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: wzkp8c4Z3F.exe, 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: wzkp8c4Z3F.exe, 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: wzkp8c4Z3F.exe, 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: wzkp8c4Z3F.exe, 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: wzkp8c4Z3F.exe, 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: wzkp8c4Z3F.exe, 00000001.00000002.595922296.0000000007610000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: wzkp8c4Z3F.exe, 00000001.00000002.595922296.0000000007610000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: wzkp8c4Z3F.exe, 00000001.00000002.596141792.0000000007630000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: wzkp8c4Z3F.exe, 00000001.00000002.596141792.0000000007630000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: wzkp8c4Z3F.exe, 00000001.00000003.358154679.000000000172E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: wzkp8c4Z3F.exe, 00000001.00000002.581112990.000000000451D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: wzkp8c4Z3F.exe, 00000001.00000002.581112990.000000000451D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: wzkp8c4Z3F.exe, 00000001.00000002.581112990.000000000451D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: wzkp8c4Z3F.exe, 00000001.00000002.581112990.000000000451D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: wzkp8c4Z3F.exe, 00000001.00000002.581112990.000000000451D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: wzkp8c4Z3F.exe, 00000001.00000002.596606327.00000000077A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: wzkp8c4Z3F.exe, 00000001.00000002.596732046.00000000077B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: wzkp8c4Z3F.exe, 00000001.00000002.577659680.00000000042C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: wzkp8c4Z3F.exe, 00000001.00000002.595445386.0000000007330000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: wzkp8c4Z3F.exe, 00000001.00000002.595445386.0000000007330000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: wzkp8c4Z3F.exe, 0000000B.00000002.431461213.0000000003E49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: wzkp8c4Z3F.exe, 0000000B.00000002.431461213.0000000003E49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: wzkp8c4Z3F.exe, 0000000B.00000002.427695686.0000000002E41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: wzkp8c4Z3F.exe, 0000000B.00000002.427695686.0000000002E41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 0000000C.00000002.431374912.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 0000000C.00000002.431374912.0000000002C21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Source: Yara match	File source: 1.2.wzkp8c4Z3F.exe.5a14629.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.wzkp8c4Z3F.exe.3e8b7de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wzkp8c4Z3F.exe.47245e0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wzkp8c4Z3F.exe.47245e0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wzkp8c4Z3F.exe.5a10000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.wzkp8c4Z3F.exe.3e90614.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wzkp8c4Z3F.exe.46efbc0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.wzkp8c4Z3F.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.wzkp8c4Z3F.exe.3e90614.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wzkp8c4Z3F.exe.5a10000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.wzkp8c4Z3F.exe.3e94c3d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wzkp8c4Z3F.exe.4489064.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wzkp8c4Z3F.exe.447cc37.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wzkp8c4Z3F.exe.447780c.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wzkp8c4Z3F.exe.46625a0.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.586234147.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.318787004.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.340095078.00000000045CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.579892381.0000000004477000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.431461213.0000000003E49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.431374912.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.427695686.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wzkp8c4Z3F.exe PID: 5336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzkp8c4Z3F.exe PID: 6004, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wzkp8c4Z3F.exe PID: 3104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6060, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	1 Scheduled Task/Job	112 Process Injection	2 Masquerading	11 Input Capture	211 Security Software Discovery	Remote Services	11 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Remote Access Software	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	112 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	11 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Hidden Files and Directories	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	12 Software Packing	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Timestomp	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
wzkp8c4Z3F.exe	31%	ReversingLabs	ByteCode-MSIL.Trojan.Pwsx
wzkp8c4Z3F.exe	38%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.2.wzkp8c4Z3F.exe.5a10000.20.unpack	100%	Avira	TR/NanoCore.fadte		Download File
1.0.wzkp8c4Z3F.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7		Download File

Domains

Source	Detection	Scanner	Label	Link
jasonbourne.bounceme.net	20%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.jiyu-kobo.co.jp/jp/C	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/5	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/en-u	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.fontbureau.comgrita	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/5	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fontbureau.comgrito	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.itcfonts.	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/Q	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Q	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.htmllkA	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnTF	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/H	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.fontbureau.comd	0%	URL Reputation	safe
http://www.fontbureau.come.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/z	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.comonyd5	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/Y0/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/m	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.fontbureau.comitu	0%	URL Reputation	safe
http://www.fontbureau.comdsed	0%	URL Reputation	safe
http://www.fontbureau.comals	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0r1	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/Y0x	0%	Avira URL Cloud	safe
jasonbourne.bounceme.net	100%	Avira URL Cloud	malware
http://www.jiyu-kobo.co.jp/Y0r:	0%	Avira URL Cloud	safe
jasonbourne.bounceme.net	20%	Virustotal		Browse
http://www.fontbureau.como5	0%	Avira URL Cloud	safe
127.0.0.1	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/liqu	0%	Avira URL Cloud	safe
http://www.fontbureau.comditam	0%	Avira URL Cloud	safe
http://www.sakkal.com-e0$	0%	Avira URL Cloud	safe
http://www.fontbureau.comkz	0%	Avira URL Cloud	safe
http://www.fontbureau.comice	0%	Avira URL Cloud	safe
http://www.agfamonotype.7	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
jasonbourne.bounceme.net	79.110.62.187	true	true	20%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
jasonbourne.bounceme.net	true	20%, Virustotal, Browse Avira URL Cloud: malware	unknown
127.0.0.1	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designers/cabarga.html.	wzkp8c4Z3F.exe, 00000000.00000003.309247140.00000000061E3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/jp/C	wzkp8c4Z3F.exe, 00000000.00000003.306412625.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306055723.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307217947.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306127448.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306109408.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307469242.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306992321.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307093650.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306922624.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308002992.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307299426.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307348154.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307721792.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307546287.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307963280.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306275167.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307141741.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307022088.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306777523.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307761958.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306816461.00000000061E3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.ascendercorp.com/typedesigners.htmllkA	wzkp8c4Z3F.exe, 00000000.00000003.306644788.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306739275.00000000061E3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comonyd5	wzkp8c4Z3F.exe, 00000000.00000003.308722684.00000000061E3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Y0x	wzkp8c4Z3F.exe, 00000000.00000003.306412625.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306519677.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306347263.00000000061D8000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306644788.00000000061E3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/Y0r1	wzkp8c4Z3F.exe, 00000000.00000003.306412625.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306055723.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307217947.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306127448.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306109408.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306992321.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307093650.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306922624.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306275167.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307141741.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307022088.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306777523.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306816461.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306519677.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.305932536.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306347263.00000000061D8000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306644788.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306739275.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.305890213.00000000061DF000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307249023.00000000061E3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/5	wzkp8c4Z3F.exe, 00000000.00000003.306055723.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.305837903.00000000061E1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://google.com	wzkp8c4Z3F.exe, 00000001.00000002.579892381.0000000004477000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.582097897.00000000045AD000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.596002221.0000000007620000.00000004.08000000.00040000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000001.00000002.581112990.000000000451D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/Y0r:	wzkp8c4Z3F.exe, 00000000.00000003.305932536.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.305890213.00000000061DF000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.305837903.00000000061E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	wzkp8c4Z3F.exe, 00000000.00000003.301281997.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	wzkp8c4Z3F.exe, 00000000.00000003.310369108.00000000061E0000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.310729246.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.310621004.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.310507059.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.310541533.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.310779336.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/en-u	wzkp8c4Z3F.exe, 00000000.00000003.305837903.00000000061E1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comgrita	wzkp8c4Z3F.exe, 00000000.00000003.309271343.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309333675.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309247140.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309431649.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309126522.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309363707.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309401237.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309507837.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309478215.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309603550.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309176051.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308883091.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308800633.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308758634.00000000061E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/5	wzkp8c4Z3F.exe, 00000000.00000003.306412625.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307217947.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306127448.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306109408.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306992321.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307093650.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306922624.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306275167.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307141741.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307022088.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306777523.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306816461.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306519677.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.305932536.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306347263.00000000061D8000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306644788.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306739275.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.305890213.00000000061DF000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307249023.00000000061E3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/liqu	wzkp8c4Z3F.exe, 00000000.00000003.306412625.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307217947.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307469242.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306992321.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307093650.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306922624.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307299426.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307348154.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307721792.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307546287.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307141741.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307022088.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306777523.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307761958.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306816461.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306519677.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307816382.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307667530.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306347263.00000000061D8000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306644788.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306739275.00000000061E3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comgrito	wzkp8c4Z3F.exe, 00000000.00000003.320875715.00000000061C0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ascendercorp.com/typedesigners.html	wzkp8c4Z3F.exe, 00000000.00000003.306644788.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306739275.00000000061E3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.itcfonts.	wzkp8c4Z3F.exe, 00000000.00000003.307742871.00000000061CF000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307785731.00000000061CF000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307699640.00000000061D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/Q	wzkp8c4Z3F.exe, 00000000.00000003.306412625.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306922624.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306777523.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306816461.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306519677.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306347263.00000000061D8000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306644788.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306739275.00000000061E3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	wzkp8c4Z3F.exe, 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.como5	wzkp8c4Z3F.exe, 00000000.00000003.320875715.00000000061C0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comditam	wzkp8c4Z3F.exe, 00000000.00000003.308316786.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308440589.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308655841.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308472746.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308509585.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308685842.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308384890.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308722684.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308883091.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308414612.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308800633.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308547019.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308618210.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308758634.00000000061E2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	wzkp8c4Z3F.exe, 00000000.00000003.305091252.00000000061D3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	wzkp8c4Z3F.exe, 00000000.00000003.308440589.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308655841.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308472746.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308509585.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309431649.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308685842.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309363707.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309401237.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308384890.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309507837.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309478215.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309603550.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308722684.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308883091.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308414612.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308800633.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308547019.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308618210.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308758634.00000000061E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com-e0$	wzkp8c4Z3F.exe, 00000000.00000003.306621636.00000000061D3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.jiyu-kobo.co.jp/Q	wzkp8c4Z3F.exe, 00000000.00000003.306055723.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306127448.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306109408.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306275167.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.305932536.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.305890213.00000000061DF000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.305837903.00000000061E1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnTF	wzkp8c4Z3F.exe, 00000000.00000003.304054048.00000000061C2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.htmlp	wzkp8c4Z3F.exe, 00000000.00000003.308722684.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308758634.00000000061E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comice	wzkp8c4Z3F.exe, 00000000.00000003.320875715.00000000061C0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/H	wzkp8c4Z3F.exe, 00000000.00000003.306412625.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306055723.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306127448.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306109408.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306275167.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306519677.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306347263.00000000061D8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	wzkp8c4Z3F.exe, 00000000.00000003.306412625.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306055723.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306127448.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306109408.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306275167.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306519677.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.305932536.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306347263.00000000061D8000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306644788.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.305890213.00000000061DF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frer	wzkp8c4Z3F.exe, 00000000.00000003.309325259.00000000061D5000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309581492.00000000061D5000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309384782.00000000061D5000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309491636.00000000061D5000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309448912.00000000061D5000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309157104.00000000061D5000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309226287.00000000061D5000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309265537.00000000061D5000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309355591.00000000061D5000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309106000.00000000061D4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309413300.00000000061D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comd	wzkp8c4Z3F.exe, 00000000.00000003.308758634.00000000061E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.come.com	wzkp8c4Z3F.exe, 00000000.00000003.308440589.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308655841.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308472746.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308509585.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308685842.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308722684.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308883091.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308414612.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308800633.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308547019.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308618210.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308758634.00000000061E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/z	wzkp8c4Z3F.exe, 00000000.00000003.306412625.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306055723.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306127448.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306109408.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306275167.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306519677.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306347263.00000000061D8000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306644788.00000000061E3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comkz	wzkp8c4Z3F.exe, 00000000.00000003.308883091.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308800633.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308758634.00000000061E2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn	wzkp8c4Z3F.exe, 00000000.00000003.304054048.00000000061C2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	wzkp8c4Z3F.exe, 00000000.00000003.308781029.00000000061D4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308868619.00000000061D4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308741845.00000000061D4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308706862.00000000061D4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/Y0/	wzkp8c4Z3F.exe, 00000000.00000003.306127448.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306109408.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306275167.00000000061E3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/m	wzkp8c4Z3F.exe, 00000000.00000003.306412625.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306127448.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306109408.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306992321.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307093650.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306922624.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306275167.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.307022088.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306777523.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306816461.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306519677.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306347263.00000000061D8000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306644788.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.306739275.00000000061E3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.agfamonotype.7	wzkp8c4Z3F.exe, 00000000.00000003.320875715.00000000061C0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.jiyu-kobo.co.jp/	wzkp8c4Z3F.exe, 00000000.00000003.305837903.00000000061E1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	wzkp8c4Z3F.exe, 00000000.00000002.344550086.00000000073D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comitu	wzkp8c4Z3F.exe, 00000000.00000003.309603550.00000000061E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comdsed	wzkp8c4Z3F.exe, 00000000.00000003.308440589.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308655841.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308472746.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308509585.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308685842.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308384890.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308414612.00000000061E2000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308547019.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.308618210.00000000061E3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comals	wzkp8c4Z3F.exe, 00000000.00000003.309478215.00000000061E3000.00000004.00000800.00020000.00000000.sdmp, wzkp8c4Z3F.exe, 00000000.00000003.309603550.00000000061E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
79.110.62.187	jasonbourne.bounceme.net	Germany		39180	LASOTELFR	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	708261
Start date and time:	2022-09-23 08:25:08 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 59s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	wzkp8c4Z3F.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@18/12@12/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
TCP Packets have been reduced to 100
Excluded IPs from analysis (whitelisted): 80.67.82.235, 80.67.82.211
Excluded domains from analysis (whitelisted): login.live.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, a1449.dscg2.akamai.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:26:10	API Interceptor	742x Sleep call for process: wzkp8c4Z3F.exe modified
08:26:22	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
08:26:23	Task Scheduler	Run new task: DHCP Monitor path: "C:\Users\user\Desktop\wzkp8c4Z3F.exe" s>$(Arg0)
08:26:26	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
08:26:33	API Interceptor	2x Sleep call for process: dhcpmon.exe modified

Process:	C:\Users\user\Desktop\wzkp8c4Z3F.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	878592
Entropy (8bit):	6.916288172693511
Encrypted:	false
SSDEEP:	12288:w6DPRU35pZSzykCdUnbLFuR+EPlKz3Kf1GaIOoLm9QQK95s:4eOFdUnf0Jt8iMJVIJ
MD5:	C143CAC623FBF082ADEDD43CAD691A69
SHA1:	62BD3D43D6E897922CF557D4E40F7D6D9035A4BF
SHA-256:	3A542858DDB263F3B60A1C7340D508E7F392443E9EE8521D0C9E4A8289173FDF
SHA-512:	78A7BAE0DB2019CCD712DD0168BC5784D26F87929FECE225F36D4F729862183A3DF61BBD01160BBDBB9630C5D4EB49910F3402EA7489AD23144B8F1F270CD21D
Malicious:	true
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0......J.......:... ...@....@.. ....................................@..................................9..O....@..XF...........................9............................................... ............... ..H............text...$.... ...................... ..`.rsrc...XF...@...H..................@..@.reloc...............f..............@..B.................:......H............]...............9.............................................}.....(.......(.......}......(.......(.......(.....&...}........0............{....o......{....o......{....o......{....o......{....o......(.......{....o......(.........._....9.............sy......{......o...............,\..{....o.......{..............o.....s........r...pr...po.......o......(....t.......(......+....+#.s........rA..prS..po.......o.........0............{.....+..................

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\wzkp8c4Z3F.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

Download File

Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1308
Entropy (8bit):	5.345811588615766
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
MD5:	2E016B886BDB8389D2DD0867BE55F87B
SHA1:	25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
SHA-256:	1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
SHA-512:	C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wzkp8c4Z3F.exe.log

Download File

Process:	C:\Users\user\Desktop\wzkp8c4Z3F.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1308
Entropy (8bit):	5.345811588615766
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
MD5:	2E016B886BDB8389D2DD0867BE55F87B
SHA1:	25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
SHA-256:	1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
SHA-512:	C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Temp\tmpDBD9.tmp

Download File

Process:	C:\Users\user\Desktop\wzkp8c4Z3F.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1301
Entropy (8bit):	5.118479574222374
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0PJIxtn:cbk4oL600QydbQxIYODOLedq3SJIj
MD5:	2761CF1D6E44C70E9DB2FC368E4CE76B
SHA1:	E915E0B02424B11641E2699F2CC3E4D33B031816
SHA-256:	CC924E89B08624128FC37FC127CA376584FE83E4B46C288792F1699F6C88FCF7
SHA-512:	904B9629B721A6D609919BCD5B9B726DC389E1717D61D124F692256C5124C90BBC837640B74E0B15E1778EEACCFA100713C89577D0A1AB8CED6AF9598C359B92
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmpF6C5.tmp

Download File

Process:	C:\Users\user\Desktop\wzkp8c4Z3F.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat

Download File

Process:	C:\Users\user\Desktop\wzkp8c4Z3F.exe
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	7.024371743172393
Encrypted:	false
SSDEEP:	6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
MD5:	32D0AAE13696FF7F8AF33B2D22451028
SHA1:	EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
SHA-256:	5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
SHA-512:	1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Download File

Process:	C:\Users\user\Desktop\wzkp8c4Z3F.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:84/t:pl
MD5:	E97A1DE2A5B2C4396A416629739F2BCC
SHA1:	ED27AEFE33F35859DF58340363D966F4CDD47B3A
SHA-256:	3AAAE8C9ED61B76929865B55FFD6B6F5265AE5463C60FC864B181078ED867A6B
SHA-512:	E5C1192FF94F89A1336494251209D1D7F82C110FBA050CD30930EF3A6F2E9C6D5211AA54BDD9A70738911AE1600EA0481B0D777C3FB32B6FD002F79D4FC7C2B9
Malicious:	true
Preview:	.I..w..H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak

Download File

Process:	C:\Users\user\Desktop\wzkp8c4Z3F.exe
File Type:	data
Category:	modified
Size (bytes):	24
Entropy (8bit):	4.501629167387823
Encrypted:	false
SSDEEP:	3:9bzY6oRDIvYk:RzWDI3
MD5:	ACD3FB4310417DC77FE06F15B0E353E6
SHA1:	80E7002E655EB5765FDEB21114295CB96AD9D5EB
SHA-256:	DC3AE604991C9BB8FF8BC4502AE3D0DB8A3317512C0F432490B103B89C1A4368
SHA-512:	DA46A917DB6276CD4528CFE4AD113292D873CA2EBE53414730F442B83502E5FAF3D1AE87BFA295ADF01E3B44FDBCE239E21A318BFB2CCD1F4753846CB21F6F97
Malicious:	false
Preview:	9iH...}Z.4..f..J".C;"a

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin

Download File

Process:	C:\Users\user\Desktop\wzkp8c4Z3F.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	5.153055907333276
Encrypted:	false
SSDEEP:	3:9bzY6oRDT6P2bfVn1:RzWDT621
MD5:	4E5E92E2369688041CC82EF9650EDED2
SHA1:	15E44F2F3194EE232B44E9684163B6F66472C862
SHA-256:	F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
SHA-512:	1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
Malicious:	false
Preview:	9iH...}Z.4..f.~a........~.~.......3.U.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat

Download File

Process:	C:\Users\user\Desktop\wzkp8c4Z3F.exe
File Type:	data
Category:	dropped
Size (bytes):	327432
Entropy (8bit):	7.99938831605763
Encrypted:	true
SSDEEP:	6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
MD5:	7E8F4A764B981D5B82D1CC49D341E9C6
SHA1:	D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
SHA-256:	0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
SHA-512:	880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
Malicious:	false
Preview:	pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...\|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.).....{B.[...y%...i.Q.<..xt.X..H.. ..HF7g...I.3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.\|i4...i...;O...n.?.,. ....v?.5}.OY@.dG\|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...\|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`\|.B....3.....I..o...u1..8i=.z.W..7

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat

Download File

Process:	C:\Users\user\Desktop\wzkp8c4Z3F.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	38
Entropy (8bit):	4.458453829233061
Encrypted:	false
SSDEEP:	3:oNUWJRWSfO2Z2:oNNJASfhZ2
MD5:	C511FCE95999B1C831891818E4E7165C
SHA1:	3F7399E99E1C812CB4FFDBF9E45420F3B90EE17A
SHA-256:	ABCDCE28DCC9AF284B74CB00330C9CAC95B6573AD4496C5D6E2590FEED992F17
SHA-512:	7D3C61AFED5BEF54E7D5E4A04D757B82718E07CD0E5F6D5CE1969B8A22F0892436889797BDE25D5837BCD1A3BEACCA08985213EB533CFC87144188F457ABA5F9
Malicious:	false
Preview:	C:\Users\user\Desktop\wzkp8c4Z3F.exe

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.916288172693511
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	wzkp8c4Z3F.exe
File size:	878592
MD5:	c143cac623fbf082adedd43cad691a69
SHA1:	62bd3d43d6e897922cf557d4e40f7d6d9035a4bf
SHA256:	3a542858ddb263f3b60a1c7340d508e7f392443e9ee8521d0c9e4a8289173fdf
SHA512:	78a7bae0db2019ccd712dd0168bc5784d26f87929fece225f36d4f729862183a3df61bbd01160bbdbb9630c5d4eb49910f3402ea7489ad23144b8f1f270cd21d
SSDEEP:	12288:w6DPRU35pZSzykCdUnbLFuR+EPlKz3Kf1GaIOoLm9QQK95s:4eOFdUnf0Jt8iMJVIJ
TLSH:	D315D023DBDA5F47D01163B88490C2B557AAEF41A02EC2876FEA7C9FB0767919211F13
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0......J.......:... ...@....@.. ....................................@................................

File Icon


Icon Hash:	ce9c9496e4949c9e

Static PE Info

General

Entrypoint:	0x4d3a1e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x9CFBFE9A [Tue Jun 17 08:06:50 2053 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd39cc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x4658	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xda000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xd39b0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xd1a24	0xd1c00	False	0.6975810581793802	data	6.928377089378491	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xd4000	0x4658	0x4800	False	0.5441623263888888	data	6.175860568943547	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xda000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xd40e8	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
RT_GROUP_ICON	0xd8310	0x14	data
RT_VERSION	0xd8324	0x334	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.579.110.62.1874972340322816766 09/23/22-08:28:03.841045	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49723	4032	192.168.2.5	79.110.62.187
192.168.2.579.110.62.1874970540322025019 09/23/22-08:27:08.890440	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49705	4032	192.168.2.5	79.110.62.187
79.110.62.187192.168.2.54032497062810290 09/23/22-08:27:17.892341	TCP	2810290	ETPRO TROJAN NanoCore RAT Keepalive Response 1	4032	49706	79.110.62.187	192.168.2.5
79.110.62.187192.168.2.54032497012841753 09/23/22-08:26:43.565182	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	4032	49701	79.110.62.187	192.168.2.5
192.168.2.579.110.62.1874970740322816766 09/23/22-08:27:27.538615	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49707	4032	192.168.2.5	79.110.62.187
79.110.62.187192.168.2.54032497042841753 09/23/22-08:26:57.404411	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	4032	49704	79.110.62.187	192.168.2.5
192.168.2.579.110.62.1874970440322816766 09/23/22-08:26:53.398294	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49704	4032	192.168.2.5	79.110.62.187
192.168.2.579.110.62.1874972440322025019 09/23/22-08:28:10.108277	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49724	4032	192.168.2.5	79.110.62.187
192.168.2.579.110.62.1874970640322816718 09/23/22-08:27:18.571667	TCP	2816718	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon	49706	4032	192.168.2.5	79.110.62.187
192.168.2.579.110.62.1874971740322816766 09/23/22-08:27:45.797275	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49717	4032	192.168.2.5	79.110.62.187
192.168.2.579.110.62.1874972040322816766 09/23/22-08:27:53.992917	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49720	4032	192.168.2.5	79.110.62.187
79.110.62.187192.168.2.54032497242841753 09/23/22-08:28:35.213011	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	4032	49724	79.110.62.187	192.168.2.5
192.168.2.579.110.62.1874970040322816766 09/23/22-08:26:32.618302	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49700	4032	192.168.2.5	79.110.62.187
192.168.2.579.110.62.1874970140322025019 09/23/22-08:26:38.525077	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49701	4032	192.168.2.5	79.110.62.187
192.168.2.579.110.62.1874970040322025019 09/23/22-08:26:30.256524	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49700	4032	192.168.2.5	79.110.62.187
192.168.2.579.110.62.1874970540322816766 09/23/22-08:27:09.489809	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49705	4032	192.168.2.5	79.110.62.187
192.168.2.579.110.62.1874970740322025019 09/23/22-08:27:25.994008	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49707	4032	192.168.2.5	79.110.62.187
192.168.2.579.110.62.1874971740322025019 09/23/22-08:27:44.656647	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49717	4032	192.168.2.5	79.110.62.187
192.168.2.579.110.62.1874972040322025019 09/23/22-08:27:52.410331	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49720	4032	192.168.2.5	79.110.62.187
192.168.2.579.110.62.1874972340322025019 09/23/22-08:28:02.603420	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49723	4032	192.168.2.5	79.110.62.187
192.168.2.579.110.62.1874970440322025019 09/23/22-08:26:52.369313	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49704	4032	192.168.2.5	79.110.62.187
192.168.2.579.110.62.1874970140322816766 09/23/22-08:26:43.252402	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49701	4032	192.168.2.5	79.110.62.187
192.168.2.579.110.62.1874970640322025019 09/23/22-08:27:16.819903	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49706	4032	192.168.2.5	79.110.62.187
192.168.2.579.110.62.1874971640322025019 09/23/22-08:27:34.502399	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49716	4032	192.168.2.5	79.110.62.187
192.168.2.579.110.62.1874971640322816766 09/23/22-08:27:36.333232	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49716	4032	192.168.2.5	79.110.62.187
192.168.2.579.110.62.1874970640322816766 09/23/22-08:27:18.571667	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49706	4032	192.168.2.5	79.110.62.187

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 23, 2022 08:26:29.966351032 CEST	49700	4032	192.168.2.5	79.110.62.187
Sep 23, 2022 08:26:29.994080067 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:29.994220972 CEST	49700	4032	192.168.2.5	79.110.62.187
Sep 23, 2022 08:26:30.256524086 CEST	49700	4032	192.168.2.5	79.110.62.187
Sep 23, 2022 08:26:30.338449001 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:30.338687897 CEST	49700	4032	192.168.2.5	79.110.62.187
Sep 23, 2022 08:26:30.416066885 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:30.416218996 CEST	49700	4032	192.168.2.5	79.110.62.187
Sep 23, 2022 08:26:30.445120096 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:30.588758945 CEST	49700	4032	192.168.2.5	79.110.62.187
Sep 23, 2022 08:26:30.959165096 CEST	49700	4032	192.168.2.5	79.110.62.187
Sep 23, 2022 08:26:31.040908098 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.078670025 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.078697920 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.078717947 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.078738928 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.078843117 CEST	49700	4032	192.168.2.5	79.110.62.187
Sep 23, 2022 08:26:31.078877926 CEST	49700	4032	192.168.2.5	79.110.62.187
Sep 23, 2022 08:26:31.106338024 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.106542110 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.106597900 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.106637955 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.106674910 CEST	49700	4032	192.168.2.5	79.110.62.187
Sep 23, 2022 08:26:31.106695890 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.106730938 CEST	49700	4032	192.168.2.5	79.110.62.187
Sep 23, 2022 08:26:31.106750965 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.106810093 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.106837034 CEST	49700	4032	192.168.2.5	79.110.62.187
Sep 23, 2022 08:26:31.106864929 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.106929064 CEST	49700	4032	192.168.2.5	79.110.62.187
Sep 23, 2022 08:26:31.134330034 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.134386063 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.134426117 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.134470940 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.134510994 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.134526014 CEST	49700	4032	192.168.2.5	79.110.62.187
Sep 23, 2022 08:26:31.134553909 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.134556055 CEST	49700	4032	192.168.2.5	79.110.62.187
Sep 23, 2022 08:26:31.134594917 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.134602070 CEST	49700	4032	192.168.2.5	79.110.62.187
Sep 23, 2022 08:26:31.134637117 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.134675026 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.134689093 CEST	49700	4032	192.168.2.5	79.110.62.187
Sep 23, 2022 08:26:31.134715080 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.134753942 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.134761095 CEST	49700	4032	192.168.2.5	79.110.62.187
Sep 23, 2022 08:26:31.134793043 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.134830952 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.134838104 CEST	49700	4032	192.168.2.5	79.110.62.187
Sep 23, 2022 08:26:31.134871006 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.134912014 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.134917021 CEST	49700	4032	192.168.2.5	79.110.62.187
Sep 23, 2022 08:26:31.134958982 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.135039091 CEST	49700	4032	192.168.2.5	79.110.62.187
Sep 23, 2022 08:26:31.162619114 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.162676096 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.162718058 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.162755966 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.162805080 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.162852049 CEST	49700	4032	192.168.2.5	79.110.62.187
Sep 23, 2022 08:26:31.162859917 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.162887096 CEST	49700	4032	192.168.2.5	79.110.62.187
Sep 23, 2022 08:26:31.162919998 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.162946939 CEST	49700	4032	192.168.2.5	79.110.62.187
Sep 23, 2022 08:26:31.162967920 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.163007975 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.163037062 CEST	49700	4032	192.168.2.5	79.110.62.187
Sep 23, 2022 08:26:31.163048029 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.163089991 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.163095951 CEST	49700	4032	192.168.2.5	79.110.62.187
Sep 23, 2022 08:26:31.163127899 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.163167000 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.163173914 CEST	49700	4032	192.168.2.5	79.110.62.187
Sep 23, 2022 08:26:31.163207054 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.163244009 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.163252115 CEST	49700	4032	192.168.2.5	79.110.62.187
Sep 23, 2022 08:26:31.163284063 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.163322926 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.163330078 CEST	49700	4032	192.168.2.5	79.110.62.187
Sep 23, 2022 08:26:31.163403988 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.163444996 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.163460970 CEST	49700	4032	192.168.2.5	79.110.62.187
Sep 23, 2022 08:26:31.163487911 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.163525105 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.163547039 CEST	49700	4032	192.168.2.5	79.110.62.187
Sep 23, 2022 08:26:31.163566113 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.163604975 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.163629055 CEST	49700	4032	192.168.2.5	79.110.62.187
Sep 23, 2022 08:26:31.163641930 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.163683891 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.163691998 CEST	49700	4032	192.168.2.5	79.110.62.187
Sep 23, 2022 08:26:31.163723946 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.163765907 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.163778067 CEST	49700	4032	192.168.2.5	79.110.62.187
Sep 23, 2022 08:26:31.163806915 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.163846016 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.163858891 CEST	49700	4032	192.168.2.5	79.110.62.187
Sep 23, 2022 08:26:31.163887024 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.163925886 CEST	4032	49700	79.110.62.187	192.168.2.5
Sep 23, 2022 08:26:31.163943052 CEST	49700	4032	192.168.2.5	79.110.62.187

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 23, 2022 08:26:29.927006006 CEST	59287	53	192.168.2.5	8.8.8.8
Sep 23, 2022 08:26:29.947521925 CEST	53	59287	8.8.8.8	192.168.2.5
Sep 23, 2022 08:26:38.259186983 CEST	58648	53	192.168.2.5	8.8.8.8
Sep 23, 2022 08:26:38.279278994 CEST	53	58648	8.8.8.8	192.168.2.5
Sep 23, 2022 08:26:51.948220015 CEST	60841	53	192.168.2.5	8.8.8.8
Sep 23, 2022 08:26:51.971592903 CEST	53	60841	8.8.8.8	192.168.2.5
Sep 23, 2022 08:27:07.921751976 CEST	61893	53	192.168.2.5	8.8.8.8
Sep 23, 2022 08:27:07.947571993 CEST	53	61893	8.8.8.8	192.168.2.5
Sep 23, 2022 08:27:16.514156103 CEST	60649	53	192.168.2.5	8.8.8.8
Sep 23, 2022 08:27:16.535902977 CEST	53	60649	8.8.8.8	192.168.2.5
Sep 23, 2022 08:27:25.903851032 CEST	51441	53	192.168.2.5	8.8.8.8
Sep 23, 2022 08:27:25.923316956 CEST	53	51441	8.8.8.8	192.168.2.5
Sep 23, 2022 08:27:33.744175911 CEST	60975	53	192.168.2.5	8.8.8.8
Sep 23, 2022 08:27:33.763693094 CEST	53	60975	8.8.8.8	192.168.2.5
Sep 23, 2022 08:27:43.511075974 CEST	59220	53	192.168.2.5	8.8.8.8
Sep 23, 2022 08:27:44.569376945 CEST	59220	53	192.168.2.5	8.8.8.8
Sep 23, 2022 08:27:44.588841915 CEST	53	59220	8.8.8.8	192.168.2.5
Sep 23, 2022 08:27:52.360873938 CEST	56682	53	192.168.2.5	8.8.8.8
Sep 23, 2022 08:27:52.381127119 CEST	53	56682	8.8.8.8	192.168.2.5
Sep 23, 2022 08:28:00.559617996 CEST	62659	53	192.168.2.5	8.8.8.8
Sep 23, 2022 08:28:00.579726934 CEST	53	62659	8.8.8.8	192.168.2.5
Sep 23, 2022 08:28:10.054294109 CEST	58581	53	192.168.2.5	8.8.8.8
Sep 23, 2022 08:28:10.076261044 CEST	53	58581	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 23, 2022 08:26:29.927006006 CEST	192.168.2.5	8.8.8.8	0xb97d	Standard query (0)	jasonbourne.bounceme.net	A (IP address)	IN (0x0001)	false
Sep 23, 2022 08:26:38.259186983 CEST	192.168.2.5	8.8.8.8	0xa085	Standard query (0)	jasonbourne.bounceme.net	A (IP address)	IN (0x0001)	false
Sep 23, 2022 08:26:51.948220015 CEST	192.168.2.5	8.8.8.8	0xe8f2	Standard query (0)	jasonbourne.bounceme.net	A (IP address)	IN (0x0001)	false
Sep 23, 2022 08:27:07.921751976 CEST	192.168.2.5	8.8.8.8	0xa48c	Standard query (0)	jasonbourne.bounceme.net	A (IP address)	IN (0x0001)	false
Sep 23, 2022 08:27:16.514156103 CEST	192.168.2.5	8.8.8.8	0xd369	Standard query (0)	jasonbourne.bounceme.net	A (IP address)	IN (0x0001)	false
Sep 23, 2022 08:27:25.903851032 CEST	192.168.2.5	8.8.8.8	0xfea4	Standard query (0)	jasonbourne.bounceme.net	A (IP address)	IN (0x0001)	false
Sep 23, 2022 08:27:33.744175911 CEST	192.168.2.5	8.8.8.8	0x29e5	Standard query (0)	jasonbourne.bounceme.net	A (IP address)	IN (0x0001)	false
Sep 23, 2022 08:27:43.511075974 CEST	192.168.2.5	8.8.8.8	0xa7a6	Standard query (0)	jasonbourne.bounceme.net	A (IP address)	IN (0x0001)	false
Sep 23, 2022 08:27:44.569376945 CEST	192.168.2.5	8.8.8.8	0xa7a6	Standard query (0)	jasonbourne.bounceme.net	A (IP address)	IN (0x0001)	false
Sep 23, 2022 08:27:52.360873938 CEST	192.168.2.5	8.8.8.8	0xaa44	Standard query (0)	jasonbourne.bounceme.net	A (IP address)	IN (0x0001)	false
Sep 23, 2022 08:28:00.559617996 CEST	192.168.2.5	8.8.8.8	0xd61	Standard query (0)	jasonbourne.bounceme.net	A (IP address)	IN (0x0001)	false
Sep 23, 2022 08:28:10.054294109 CEST	192.168.2.5	8.8.8.8	0xa8ce	Standard query (0)	jasonbourne.bounceme.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Sep 23, 2022 08:26:29.947521925 CEST	8.8.8.8	192.168.2.5	0xb97d	No error (0)	jasonbourne.bounceme.net	79.110.62.187	A (IP address)	IN (0x0001)	false
Sep 23, 2022 08:26:38.279278994 CEST	8.8.8.8	192.168.2.5	0xa085	No error (0)	jasonbourne.bounceme.net	79.110.62.187	A (IP address)	IN (0x0001)	false
Sep 23, 2022 08:26:51.971592903 CEST	8.8.8.8	192.168.2.5	0xe8f2	No error (0)	jasonbourne.bounceme.net	79.110.62.187	A (IP address)	IN (0x0001)	false
Sep 23, 2022 08:27:07.947571993 CEST	8.8.8.8	192.168.2.5	0xa48c	No error (0)	jasonbourne.bounceme.net	79.110.62.187	A (IP address)	IN (0x0001)	false
Sep 23, 2022 08:27:16.535902977 CEST	8.8.8.8	192.168.2.5	0xd369	No error (0)	jasonbourne.bounceme.net	79.110.62.187	A (IP address)	IN (0x0001)	false
Sep 23, 2022 08:27:25.923316956 CEST	8.8.8.8	192.168.2.5	0xfea4	No error (0)	jasonbourne.bounceme.net	79.110.62.187	A (IP address)	IN (0x0001)	false
Sep 23, 2022 08:27:33.763693094 CEST	8.8.8.8	192.168.2.5	0x29e5	No error (0)	jasonbourne.bounceme.net	79.110.62.187	A (IP address)	IN (0x0001)	false
Sep 23, 2022 08:27:44.588841915 CEST	8.8.8.8	192.168.2.5	0xa7a6	No error (0)	jasonbourne.bounceme.net	79.110.62.187	A (IP address)	IN (0x0001)	false
Sep 23, 2022 08:27:52.381127119 CEST	8.8.8.8	192.168.2.5	0xaa44	No error (0)	jasonbourne.bounceme.net	79.110.62.187	A (IP address)	IN (0x0001)	false
Sep 23, 2022 08:28:00.579726934 CEST	8.8.8.8	192.168.2.5	0xd61	No error (0)	jasonbourne.bounceme.net	79.110.62.187	A (IP address)	IN (0x0001)	false
Sep 23, 2022 08:28:10.076261044 CEST	8.8.8.8	192.168.2.5	0xa8ce	No error (0)	jasonbourne.bounceme.net	79.110.62.187	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	08:26:02
Start date:	23/09/2022
Path:	C:\Users\user\Desktop\wzkp8c4Z3F.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\wzkp8c4Z3F.exe"
Imagebase:	0xe10000
File size:	878592 bytes
MD5 hash:	C143CAC623FBF082ADEDD43CAD691A69
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.323700911.00000000033BF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.340095078.00000000045CD000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.340095078.00000000045CD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.340095078.00000000045CD000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.340095078.00000000045CD000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Analysis Process: wzkp8c4Z3F.exePID: 6004, Parent PID: 5336

General

Target ID:	1
Start time:	08:26:11
Start date:	23/09/2022
Path:	C:\Users\user\Desktop\wzkp8c4Z3F.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\wzkp8c4Z3F.exe
Imagebase:	0xe10000
File size:	878592 bytes
MD5 hash:	C143CAC623FBF082ADEDD43CAD691A69
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.586234147.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.586234147.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.586234147.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000001.00000002.586234147.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.586234147.0000000005A10000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000000.318787004.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000000.318787004.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000000.318787004.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000000.318787004.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.587604607.0000000005C80000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.587604607.0000000005C80000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000001.00000002.587604607.0000000005C80000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.587604607.0000000005C80000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.597276168.0000000007A70000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.597276168.0000000007A70000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000001.00000002.597276168.0000000007A70000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.597276168.0000000007A70000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.595560442.00000000075E0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.595560442.00000000075E0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000001.00000002.595560442.00000000075E0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.595560442.00000000075E0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.596333698.0000000007780000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.596333698.0000000007780000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000001.00000002.596333698.0000000007780000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.596333698.0000000007780000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.595841255.0000000007600000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.595841255.0000000007600000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000001.00000002.595841255.0000000007600000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.595841255.0000000007600000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.579892381.0000000004477000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000002.579892381.0000000004477000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.579892381.0000000004477000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000001.00000002.582097897.00000000045AD000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.582097897.00000000045AD000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.578423356.000000000438F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.596002221.0000000007620000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.596002221.0000000007620000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000001.00000002.596002221.0000000007620000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.596002221.0000000007620000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.595922296.0000000007610000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.595922296.0000000007610000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000001.00000002.595922296.0000000007610000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.595922296.0000000007610000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.596141792.0000000007630000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.596141792.0000000007630000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000001.00000002.596141792.0000000007630000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.596141792.0000000007630000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000003.358154679.000000000172E000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.596606327.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.596606327.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000001.00000002.596606327.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.596606327.00000000077A0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.577659680.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000001.00000002.581112990.000000000451D000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.581112990.000000000451D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.596732046.00000000077B0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.596732046.00000000077B0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000001.00000002.596732046.00000000077B0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.596732046.00000000077B0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.586144489.0000000005A00000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.586144489.0000000005A00000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000001.00000002.586144489.0000000005A00000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.586144489.0000000005A00000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.568786578.00000000032C1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.587474125.0000000005C70000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.587474125.0000000005C70000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000001.00000002.587474125.0000000005C70000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.587474125.0000000005C70000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.595445386.0000000007330000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.595445386.0000000007330000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000001.00000002.595445386.0000000007330000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.595445386.0000000007330000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low

Analysis Process: schtasks.exePID: 5180, Parent PID: 6004

General

Target ID:	2
Start time:	08:26:19
Start date:	23/09/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpDBD9.tmp
Imagebase:	0x20000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 4484, Parent PID: 5180

General

Target ID:	3
Start time:	08:26:22
Start date:	23/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: wzkp8c4Z3F.exePID: 1544, Parent PID: 1084

General

Target ID:	5
Start time:	08:26:24
Start date:	23/09/2022
Path:	C:\Users\user\Desktop\wzkp8c4Z3F.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\wzkp8c4Z3F.exe 0
Imagebase:	0xac0000
File size:	878592 bytes
MD5 hash:	C143CAC623FBF082ADEDD43CAD691A69
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Analysis Process: schtasks.exePID: 4596, Parent PID: 6004

General

Target ID:	6
Start time:	08:26:25
Start date:	23/09/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpF6C5.tmp
Imagebase:	0x20000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 5248, Parent PID: 4596

General

Target ID:	7
Start time:	08:26:26
Start date:	23/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: dhcpmon.exePID: 2004, Parent PID: 1084

General

Target ID:	8
Start time:	08:26:27
Start date:	23/09/2022
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Imagebase:	0xfa0000
File size:	878592 bytes
MD5 hash:	C143CAC623FBF082ADEDD43CAD691A69
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000008.00000002.398660819.000000000344F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: dhcpmon.exePID: 5528, Parent PID: 3324

General

Target ID:	9
Start time:	08:26:30
Start date:	23/09/2022
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Imagebase:	0xec0000
File size:	878592 bytes
MD5 hash:	C143CAC623FBF082ADEDD43CAD691A69
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	low

Analysis Process: wzkp8c4Z3F.exePID: 3104, Parent PID: 1544

General

Target ID:	11
Start time:	08:26:35
Start date:	23/09/2022
Path:	C:\Users\user\Desktop\wzkp8c4Z3F.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\wzkp8c4Z3F.exe
Imagebase:	0xa20000
File size:	878592 bytes
MD5 hash:	C143CAC623FBF082ADEDD43CAD691A69
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.431461213.0000000003E49000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.431461213.0000000003E49000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000B.00000002.431461213.0000000003E49000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.427695686.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.427695686.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000B.00000002.427695686.0000000002E41000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Analysis Process: dhcpmon.exePID: 6060, Parent PID: 2004

General

Target ID:	12
Start time:	08:26:43
Start date:	23/09/2022
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Imagebase:	0x870000
File size:	878592 bytes
MD5 hash:	C143CAC623FBF082ADEDD43CAD691A69
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.431374912.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.431374912.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000C.00000002.431374912.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Analysis Process: dhcpmon.exePID: 5000, Parent PID: 5528

General

Target ID:	13
Start time:	08:26:50
Start date:	23/09/2022
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Imagebase:	0x840000
File size:	878592 bytes
MD5 hash:	C143CAC623FBF082ADEDD43CAD691A69
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	low

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report wzkp8c4Z3F.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

AV Detection

E-Banking Fraud

Persistence and Installation Behavior

Stealing of Sensitive Information

Remote Access Functionality

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wzkp8c4Z3F.exe.log

C:\Users\user\AppData\Local\Temp\tmpDBD9.tmp

C:\Users\user\AppData\Local\Temp\tmpF6C5.tmp

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak

Windows Analysis Report
wzkp8c4Z3F.exe

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre