Edit tour

Windows Analysis Report
outstanding statement.exe

Overview

General Information

Sample Name:	outstanding statement.exe
Analysis ID:	710454
MD5:	c83f7860b0c0f1ad76d8ca65c6bad689
SHA1:	221ba6cf88de4c688583c69e8892ec9c3804a11e
SHA256:	94bcc238e29903cc49036da98144dae0c7e10526669d6c50e3b87239f8e27262
Tags:	exeNanoCore
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Yara detected AntiVM3

Detected Nanocore Rat

Sigma detected: Scheduled temp file as task from temp location

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

.NET source code contains very large strings

Machine Learning detection for dropped file

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses dynamic DNS services

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

outstanding statement.exe (PID: 5916 cmdline: "C:\Users\user\Desktop\outstanding statement.exe" MD5: C83F7860B0C0F1AD76D8CA65C6BAD689)

schtasks.exe (PID: 5316 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OIdzpXTWJYUnz" /XML "C:\Users\user\AppData\Local\Temp\tmp949C.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

outstanding statement.exe (PID: 5468 cmdline: {path} MD5: C83F7860B0C0F1AD76D8CA65C6BAD689)

schtasks.exe (PID: 5700 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpAB73.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 5436 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpAEBF.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 3132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

outstanding statement.exe (PID: 5832 cmdline: "C:\Users\user\Desktop\outstanding statement.exe" 0 MD5: C83F7860B0C0F1AD76D8CA65C6BAD689)

svchost.exe (PID: 1276 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

schtasks.exe (PID: 3016 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OIdzpXTWJYUnz" /XML "C:\Users\user\AppData\Local\Temp\tmp27F3.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 2208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

outstanding statement.exe (PID: 5624 cmdline: {path} MD5: C83F7860B0C0F1AD76D8CA65C6BAD689)

outstanding statement.exe (PID: 1276 cmdline: {path} MD5: C83F7860B0C0F1AD76D8CA65C6BAD689)

dhcpmon.exe (PID: 3068 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: C83F7860B0C0F1AD76D8CA65C6BAD689)

schtasks.exe (PID: 5788 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OIdzpXTWJYUnz" /XML "C:\Users\user\AppData\Local\Temp\tmp29F7.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 4456 cmdline: {path} MD5: C83F7860B0C0F1AD76D8CA65C6BAD689)

dhcpmon.exe (PID: 2588 cmdline: {path} MD5: C83F7860B0C0F1AD76D8CA65C6BAD689)

dhcpmon.exe (PID: 6076 cmdline: {path} MD5: C83F7860B0C0F1AD76D8CA65C6BAD689)

dhcpmon.exe (PID: 4008 cmdline: {path} MD5: C83F7860B0C0F1AD76D8CA65C6BAD689)

dhcpmon.exe (PID: 5728 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: C83F7860B0C0F1AD76D8CA65C6BAD689)

schtasks.exe (PID: 2040 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OIdzpXTWJYUnz" /XML "C:\Users\user\AppData\Local\Temp\tmp6644.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 3380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 748 cmdline: {path} MD5: C83F7860B0C0F1AD76D8CA65C6BAD689)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000003.303794652.0000000007101000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x227c:$a1: NanoCore.ClientPluginHost 0x2257:$a2: NanoCore.ClientPlugin 0x226d:$b4: IClientAppHost 0x675c:$b7: LogClientException 0x22a6:$b9: IClientLoggingHost
00000003.00000002.553210177.0000000007520000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
00000003.00000002.553210177.0000000007520000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
00000003.00000002.553210177.0000000007520000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b70:$x2: NanoCore.ClientPlugin 0x5b99:$x3: NanoCore.ClientPluginHost 0x5b61:$i3: IClientNetwork 0x5b86:$i6: IClientLoggingHost 0x5bb3:$i7: IClientNetworkHost 0x59d4:$s1: ClientPlugin 0x5b79:$s1: ClientPlugin 0x5e84:$s2: EndPoint 0x5e8d:$s3: IPAddress 0x5e97:$s4: IPEndPoint
00000003.00000002.553210177.0000000007520000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b99:$a1: NanoCore.ClientPluginHost 0x5b70:$a2: NanoCore.ClientPlugin 0x5b86:$b9: IClientLoggingHost
00000003.00000002.552823390.00000000073A0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
00000003.00000002.552823390.00000000073A0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
00000003.00000002.552823390.00000000073A0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x227f:$x2: NanoCore.ClientPlugin 0x2205:$x3: NanoCore.ClientPluginHost 0x2295:$i3: IClientNetwork 0x221f:$i6: IClientLoggingHost 0x223e:$i7: IClientNetworkHost 0x1f9f:$s1: ClientPlugin 0x2288:$s1: ClientPlugin
00000003.00000002.552823390.00000000073A0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2205:$a1: NanoCore.ClientPluginHost 0x227f:$a2: NanoCore.ClientPlugin 0x29a0:$b7: LogClientException 0x221f:$b9: IClientLoggingHost
00000003.00000002.552462673.0000000007230000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
00000003.00000002.552462673.0000000007230000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
00000003.00000002.552462673.0000000007230000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0x1775:$i3: IClientNetwork 0x16fd:$i6: IClientLoggingHost 0x171c:$i7: IClientNetworkHost 0x1491:$s1: ClientPlugin 0x1768:$s1: ClientPlugin
00000003.00000002.552462673.0000000007230000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x16e3:$a1: NanoCore.ClientPluginHost 0x175f:$a2: NanoCore.ClientPlugin 0x16fd:$b9: IClientLoggingHost
00000000.00000002.290409484.0000000003B17000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xa123d:$x1: NanoCore.ClientPluginHost 0x231945:$x1: NanoCore.ClientPluginHost 0xa127a:$x2: IClientNetworkHost 0x231982:$x2: IClientNetworkHost 0xa4dad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2354b5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.290409484.0000000003B17000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.290409484.0000000003B17000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xa0fa5:$a: NanoCore 0xa0fb5:$a: NanoCore 0xa11e9:$a: NanoCore 0xa11fd:$a: NanoCore 0xa123d:$a: NanoCore 0x2316ad:$a: NanoCore 0x2316bd:$a: NanoCore 0x2318f1:$a: NanoCore 0x231905:$a: NanoCore 0x231945:$a: NanoCore 0xa1004:$b: ClientPlugin 0xa1206:$b: ClientPlugin 0xa1246:$b: ClientPlugin 0x23170c:$b: ClientPlugin 0x23190e:$b: ClientPlugin 0x23194e:$b: ClientPlugin 0xa112b:$c: ProjectData 0x184b87:$c: ProjectData 0x231833:$c: ProjectData 0x26491f:$c: ProjectData 0xa1b32:$d: DESCrypto
00000000.00000002.290409484.0000000003B17000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xa123d:$a1: NanoCore.ClientPluginHost 0x231945:$a1: NanoCore.ClientPluginHost 0xa11fd:$a2: NanoCore.ClientPlugin 0x231905:$a2: NanoCore.ClientPlugin 0xa3156:$b1: get_BuilderSettings 0x23385e:$b1: get_BuilderSettings 0xa1059:$b2: ClientLoaderForm.resources 0x231761:$b2: ClientLoaderForm.resources 0xa2876:$b3: PluginCommand 0x232f7e:$b3: PluginCommand 0xa122e:$b4: IClientAppHost 0x231936:$b4: IClientAppHost 0xab6ae:$b5: GetBlockHash 0x23bdb6:$b5: GetBlockHash 0xa37ae:$b6: AddHostEntry 0x233eb6:$b6: AddHostEntry 0xa74a1:$b7: LogClientException 0x237ba9:$b7: LogClientException 0xa371b:$b8: PipeExists 0x233e23:$b8: PipeExists 0xa1267:$b9: IClientLoggingHost
00000003.00000002.553773435.0000000007560000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
00000003.00000002.553773435.0000000007560000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
00000003.00000002.553773435.0000000007560000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1f1b2:$x2: NanoCore.ClientPlugin 0x1f1db:$x3: NanoCore.ClientPluginHost 0x1f1a3:$i3: IClientNetwork 0x1f1c8:$i6: IClientLoggingHost 0x1f1f5:$i7: IClientNetworkHost 0x1f208:$i8: IClientUIHost 0x1ef12:$s1: ClientPlugin 0x1f1bb:$s1: ClientPlugin
00000003.00000002.553773435.0000000007560000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1f1db:$a1: NanoCore.ClientPluginHost 0x1f1b2:$a2: NanoCore.ClientPlugin 0x24206:$b7: LogClientException 0x1f1c8:$b9: IClientLoggingHost
00000003.00000002.552108671.0000000007200000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
00000003.00000002.552108671.0000000007200000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
00000003.00000002.552108671.0000000007200000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x8b70:$i3: IClientNetwork 0x8b95:$i5: IClientDataHost 0x8bbf:$i6: IClientLoggingHost 0x8bd2:$i7: IClientNetworkHost 0x8be5:$i9: IClientNameObjectCollection 0x8902:$s1: ClientPlugin 0x8b88:$s1: ClientPlugin
00000003.00000002.552108671.0000000007200000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x8bbf:$b9: IClientLoggingHost
00000003.00000002.552972970.00000000073C0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
00000003.00000002.552972970.00000000073C0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
00000003.00000002.552972970.00000000073C0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5ad5:$x2: NanoCore.ClientPlugin 0x59eb:$x3: NanoCore.ClientPluginHost 0x5aeb:$i3: IClientNetwork 0x5a24:$i5: IClientDataHost 0x5a05:$i6: IClientLoggingHost 0x5b48:$i7: IClientNetworkHost 0x5a43:$i8: IClientUIHost 0x6955:$i9: IClientNameObjectCollection 0x54fc:$s1: ClientPlugin 0x5ade:$s1: ClientPlugin 0x6971:$s6: get_ClientSettings
00000003.00000002.552972970.00000000073C0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x59eb:$a1: NanoCore.ClientPluginHost 0x5ad5:$a2: NanoCore.ClientPlugin 0x732e:$b7: LogClientException 0x6941:$b8: PipeExists 0x5a05:$b9: IClientLoggingHost
00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb45d7:$a: NanoCore 0xb45fc:$a: NanoCore 0xb4655:$a: NanoCore 0xc47f4:$a: NanoCore 0xc481a:$a: NanoCore 0xc4876:$a: NanoCore 0xd16cd:$a: NanoCore 0xd1726:$a: NanoCore 0xd1759:$a: NanoCore 0xd1985:$a: NanoCore 0xd1a01:$a: NanoCore 0xd201a:$a: NanoCore 0xd2163:$a: NanoCore 0xd2637:$a: NanoCore 0xd291e:$a: NanoCore 0xd2935:$a: NanoCore 0xdb7d9:$a: NanoCore 0xdb855:$a: NanoCore 0xde138:$a: NanoCore 0xe3701:$a: NanoCore 0xe377b:$a: NanoCore
00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb45fc:$a1: NanoCore.ClientPluginHost 0xc481a:$a1: NanoCore.ClientPluginHost 0xd1985:$a1: NanoCore.ClientPluginHost 0xdb7d9:$a1: NanoCore.ClientPluginHost 0xe3701:$a1: NanoCore.ClientPluginHost 0xe96d4:$a1: NanoCore.ClientPluginHost 0xf3142:$a1: NanoCore.ClientPluginHost 0xfd56f:$a1: NanoCore.ClientPluginHost 0x10854e:$a1: NanoCore.ClientPluginHost 0x1142f2:$a1: NanoCore.ClientPluginHost 0x1391f8:$a1: NanoCore.ClientPluginHost 0x14863a:$a1: NanoCore.ClientPluginHost 0x1518ef:$a1: NanoCore.ClientPluginHost 0x16505d:$a1: NanoCore.ClientPluginHost 0x172c97:$a1: NanoCore.ClientPluginHost 0x182eb3:$a1: NanoCore.ClientPluginHost 0x19001c:$a1: NanoCore.ClientPluginHost 0x19656a:$a1: NanoCore.ClientPluginHost 0x19c53b:$a1: NanoCore.ClientPluginHost 0x1a5fa7:$a1: NanoCore.ClientPluginHost 0x1b03d2:$a1: NanoCore.ClientPluginHost
00000003.00000000.271120372.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000003.00000000.271120372.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000000.271120372.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000003.00000000.271120372.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xff8d:$a1: NanoCore.ClientPluginHost 0xff4d:$a2: NanoCore.ClientPlugin 0x11ea6:$b1: get_BuilderSettings 0xfda9:$b2: ClientLoaderForm.resources 0x115c6:$b3: PluginCommand 0xff7e:$b4: IClientAppHost 0x1a3fe:$b5: GetBlockHash 0x124fe:$b6: AddHostEntry 0x161f1:$b7: LogClientException 0x1246b:$b8: PipeExists 0xffb7:$b9: IClientLoggingHost
00000003.00000002.553109432.00000000073D0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
00000003.00000002.553109432.00000000073D0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
00000003.00000002.553109432.00000000073D0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3a8b:$x2: NanoCore.ClientPlugin 0x39eb:$x3: NanoCore.ClientPluginHost 0x3aa1:$i3: IClientNetwork 0x3a43:$i5: IClientDataHost 0x3a05:$i6: IClientLoggingHost 0x3a24:$i7: IClientNetworkHost 0x426c:$i9: IClientNameObjectCollection 0x3741:$s1: ClientPlugin 0x3a94:$s1: ClientPlugin 0x4680:$s2: EndPoint 0x4371:$s3: IPAddress 0x3c83:$s4: IPEndPoint 0x43a3:$s7: get_Connected
00000003.00000002.553109432.00000000073D0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x39eb:$a1: NanoCore.ClientPluginHost 0x3a8b:$a2: NanoCore.ClientPlugin 0x47e1:$b7: LogClientException 0x3a05:$b9: IClientLoggingHost
00000003.00000002.552899559.00000000073B0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
00000003.00000002.552899559.00000000073B0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
00000003.00000002.552899559.00000000073B0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x13f2:$x2: NanoCore.ClientPlugin 0x13a8:$x3: NanoCore.ClientPluginHost 0x1408:$i3: IClientNetwork 0x13c2:$i6: IClientLoggingHost 0x1185:$s1: ClientPlugin 0x13fb:$s1: ClientPlugin
00000003.00000002.552899559.00000000073B0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x13a8:$a1: NanoCore.ClientPluginHost 0x13f2:$a2: NanoCore.ClientPlugin 0x13c2:$b9: IClientLoggingHost
00000003.00000002.539716386.00000000040F1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x27b0b:$a1: NanoCore.ClientPluginHost 0x27ae2:$a2: NanoCore.ClientPlugin 0x2cb36:$b7: LogClientException 0x27af8:$b9: IClientLoggingHost
00000003.00000002.552699108.0000000007390000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
00000003.00000002.552699108.0000000007390000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
00000003.00000002.552699108.0000000007390000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b87:$x2: NanoCore.ClientPlugin 0x5b0b:$x3: NanoCore.ClientPluginHost 0x5b9d:$i3: IClientNetwork 0x5b25:$i6: IClientLoggingHost 0x5b44:$i7: IClientNetworkHost 0x57fb:$s1: ClientPlugin 0x5b90:$s1: ClientPlugin 0x6cf4:$s3: IPAddress
00000003.00000002.552699108.0000000007390000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b0b:$a1: NanoCore.ClientPluginHost 0x5b87:$a2: NanoCore.ClientPlugin 0x6710:$b7: LogClientException 0x5b25:$b9: IClientLoggingHost
00000003.00000002.530140440.0000000003149000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x71a7:$a: NanoCore 0x7200:$a: NanoCore 0x723d:$a: NanoCore 0x72b6:$a: NanoCore 0x392f2:$a: NanoCore 0x39317:$a: NanoCore 0x39370:$a: NanoCore 0x4ab3f:$a: NanoCore 0x4ab65:$a: NanoCore 0x4abc1:$a: NanoCore 0x57a5b:$a: NanoCore 0x57ab4:$a: NanoCore 0x57ae7:$a: NanoCore 0x57d13:$a: NanoCore 0x57d8f:$a: NanoCore 0x583a8:$a: NanoCore 0x584f1:$a: NanoCore 0x589c5:$a: NanoCore 0x58cac:$a: NanoCore 0x58cc3:$a: NanoCore 0x61ba7:$a: NanoCore
00000003.00000002.530140440.0000000003149000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x723d:$a1: NanoCore.ClientPluginHost 0x39317:$a1: NanoCore.ClientPluginHost 0x4ab65:$a1: NanoCore.ClientPluginHost 0x57d13:$a1: NanoCore.ClientPluginHost 0x61ba7:$a1: NanoCore.ClientPluginHost 0x69b11:$a1: NanoCore.ClientPluginHost 0x6fb28:$a1: NanoCore.ClientPluginHost 0x795d7:$a1: NanoCore.ClientPluginHost 0x83a47:$a1: NanoCore.ClientPluginHost 0x8ea6d:$a1: NanoCore.ClientPluginHost 0x9a857:$a1: NanoCore.ClientPluginHost 0xa6616:$a1: NanoCore.ClientPluginHost 0x7200:$a2: NanoCore.ClientPlugin 0x392f2:$a2: NanoCore.ClientPlugin 0x4ab3f:$a2: NanoCore.ClientPlugin 0x57d8f:$a2: NanoCore.ClientPlugin 0x61c23:$a2: NanoCore.ClientPlugin 0x69b8b:$a2: NanoCore.ClientPlugin 0x6fb72:$a2: NanoCore.ClientPlugin 0x796c1:$a2: NanoCore.ClientPlugin 0x83ae7:$a2: NanoCore.ClientPlugin
0000001D.00000002.426017926.0000000004109000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001D.00000002.426017926.0000000004109000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x435bd:$a: NanoCore 0x43616:$a: NanoCore 0x43653:$a: NanoCore 0x436cc:$a: NanoCore 0x56d77:$a: NanoCore 0x56d8c:$a: NanoCore 0x56dc1:$a: NanoCore 0x6fd63:$a: NanoCore 0x6fd78:$a: NanoCore 0x6fdad:$a: NanoCore 0x4361f:$b: ClientPlugin 0x4365c:$b: ClientPlugin 0x43f5a:$b: ClientPlugin 0x43f67:$b: ClientPlugin 0x56b33:$b: ClientPlugin 0x56b4e:$b: ClientPlugin 0x56b7e:$b: ClientPlugin 0x56d95:$b: ClientPlugin 0x56dca:$b: ClientPlugin 0x6fb1f:$b: ClientPlugin 0x6fb3a:$b: ClientPlugin
0000001D.00000002.426017926.0000000004109000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x43653:$a1: NanoCore.ClientPluginHost 0x56dc1:$a1: NanoCore.ClientPluginHost 0x6fdad:$a1: NanoCore.ClientPluginHost 0x43616:$a2: NanoCore.ClientPlugin 0x56d8c:$a2: NanoCore.ClientPlugin 0x6fd78:$a2: NanoCore.ClientPlugin 0x439ea:$b1: get_BuilderSettings 0x5bd07:$b1: get_BuilderSettings 0x74cf3:$b1: get_BuilderSettings 0x436a1:$b4: IClientAppHost 0x43a5b:$b6: AddHostEntry 0x43aca:$b7: LogClientException 0x5bc76:$b7: LogClientException 0x74c62:$b7: LogClientException 0x43a3f:$b8: PipeExists 0x4368e:$b9: IClientLoggingHost 0x56ddb:$b9: IClientLoggingHost 0x6fdc7:$b9: IClientLoggingHost
00000020.00000002.443941283.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000020.00000002.443941283.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6943b:$a: NanoCore 0x69494:$a: NanoCore 0x694d1:$a: NanoCore 0x6954a:$a: NanoCore 0x6949d:$b: ClientPlugin 0x694da:$b: ClientPlugin 0x69dd8:$b: ClientPlugin 0x69de5:$b: ClientPlugin 0x5f5b8:$e: KeepAlive 0x69925:$g: LogClientMessage 0x698a5:$i: get_Connected 0x59871:$j: #=q 0x598a1:$j: #=q 0x598dd:$j: #=q 0x59905:$j: #=q 0x59935:$j: #=q 0x59965:$j: #=q 0x59995:$j: #=q 0x599c5:$j: #=q 0x599e1:$j: #=q 0x59a11:$j: #=q
00000020.00000002.443941283.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x694d1:$a1: NanoCore.ClientPluginHost 0x69494:$a2: NanoCore.ClientPlugin 0x5adab:$b1: get_BuilderSettings 0x69868:$b1: get_BuilderSettings 0x6951f:$b4: IClientAppHost 0x698d9:$b6: AddHostEntry 0x5ad1a:$b7: LogClientException 0x69948:$b7: LogClientException 0x698bd:$b8: PipeExists 0x6950c:$b9: IClientLoggingHost
00000003.00000002.554089363.0000000007590000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
00000003.00000002.554089363.0000000007590000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
00000003.00000002.554089363.0000000007590000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5fc9:$x2: NanoCore.ClientPlugin 0x5fee:$x3: NanoCore.ClientPluginHost 0x5fba:$i3: IClientNetwork 0x5fdf:$i4: IClientAppHost 0x6008:$i5: IClientDataHost 0x6018:$i6: IClientLoggingHost 0x602b:$i7: IClientNetworkHost 0x603e:$i8: IClientUIHost 0x604c:$i9: IClientNameObjectCollection 0x5d70:$s1: ClientPlugin 0x5fd2:$s1: ClientPlugin
00000003.00000002.554089363.0000000007590000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5fee:$a1: NanoCore.ClientPluginHost 0x5fc9:$a2: NanoCore.ClientPlugin 0x5fdf:$b4: IClientAppHost 0xa4ce:$b7: LogClientException 0x6018:$b9: IClientLoggingHost
00000003.00000002.548985482.0000000005A50000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000003.00000002.548985482.0000000005A50000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000003.00000002.548985482.0000000005A50000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000002.548985482.0000000005A50000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
00000003.00000002.548985482.0000000005A50000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
00000003.00000002.550294873.0000000006AA0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
00000003.00000002.550294873.0000000006AA0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
00000003.00000002.550294873.0000000006AA0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x4b87:$i3: IClientNetwork 0x4bac:$i4: IClientAppHost 0x4bd5:$i5: IClientDataHost 0x4be5:$i7: IClientNetworkHost 0x4bf8:$i9: IClientNameObjectCollection 0x4c1d:$i10: IClientReadOnlyNameObjectCollection 0x49ce:$s1: ClientPlugin 0x4b9f:$s1: ClientPlugin
00000003.00000002.550294873.0000000006AA0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x4b96:$a2: NanoCore.ClientPlugin 0x8558:$b1: get_BuilderSettings 0x4bac:$b4: IClientAppHost
00000003.00000002.548939987.0000000005A40000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000003.00000002.548939987.0000000005A40000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000003.00000002.548939987.0000000005A40000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
00000003.00000002.548939987.0000000005A40000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
00000003.00000002.544886157.00000000043DE000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x55bff:$a: NanoCore 0x55ce9:$a: NanoCore 0x56b60:$a: NanoCore 0x5fd0a:$a: NanoCore 0x5fd6b:$a: NanoCore 0x5fdae:$a: NanoCore 0x5fdee:$a: NanoCore 0x6002a:$a: NanoCore 0x600ca:$a: NanoCore 0x608a2:$a: NanoCore 0x60e95:$a: NanoCore 0x60fe6:$a: NanoCore 0x61e40:$a: NanoCore 0x620a7:$a: NanoCore 0x620bc:$a: NanoCore 0x620db:$a: NanoCore 0x6afde:$a: NanoCore 0x6b007:$a: NanoCore 0x76d80:$a: NanoCore 0x76da9:$a: NanoCore 0x9bc6c:$a: NanoCore
00000003.00000002.544886157.00000000043DE000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x55bff:$a1: NanoCore.ClientPluginHost 0x6002a:$a1: NanoCore.ClientPluginHost 0x6b007:$a1: NanoCore.ClientPluginHost 0x76da9:$a1: NanoCore.ClientPluginHost 0x9bcad:$a1: NanoCore.ClientPluginHost 0xab0ed:$a1: NanoCore.ClientPluginHost 0x55ce9:$a2: NanoCore.ClientPlugin 0x600ca:$a2: NanoCore.ClientPlugin 0x6afde:$a2: NanoCore.ClientPlugin 0x76d80:$a2: NanoCore.ClientPlugin 0x9bc84:$a2: NanoCore.ClientPlugin 0xab0c8:$a2: NanoCore.ClientPlugin 0xab0de:$b4: IClientAppHost 0x57542:$b7: LogClientException 0x60e20:$b7: LogClientException 0x790f2:$b7: LogClientException 0xa0cd8:$b7: LogClientException 0xaf5cd:$b7: LogClientException 0x56b55:$b8: PipeExists 0x55c19:$b9: IClientLoggingHost 0x60044:$b9: IClientLoggingHost
00000003.00000002.553477471.0000000007540000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
00000003.00000002.553477471.0000000007540000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
00000003.00000002.553477471.0000000007540000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x34e2:$x2: NanoCore.ClientPlugin 0x350b:$x3: NanoCore.ClientPluginHost 0x34d3:$i3: IClientNetwork 0x34f8:$i6: IClientLoggingHost 0x3525:$i7: IClientNetworkHost 0x334e:$s1: ClientPlugin 0x34eb:$s1: ClientPlugin
00000003.00000002.553477471.0000000007540000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x350b:$a1: NanoCore.ClientPluginHost 0x34e2:$a2: NanoCore.ClientPlugin 0x5854:$b7: LogClientException 0x34f8:$b9: IClientLoggingHost
0000001D.00000002.420196088.0000000003101000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001D.00000002.420196088.0000000003101000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x69457:$a: NanoCore 0x694b0:$a: NanoCore 0x694ed:$a: NanoCore 0x69566:$a: NanoCore 0x694b9:$b: ClientPlugin 0x694f6:$b: ClientPlugin 0x69df4:$b: ClientPlugin 0x69e01:$b: ClientPlugin 0x5f5d4:$e: KeepAlive 0x69941:$g: LogClientMessage 0x698c1:$i: get_Connected 0x5988d:$j: #=q 0x598bd:$j: #=q 0x598f9:$j: #=q 0x59921:$j: #=q 0x59951:$j: #=q 0x59981:$j: #=q 0x599b1:$j: #=q 0x599e1:$j: #=q 0x599fd:$j: #=q 0x59a2d:$j: #=q
0000001D.00000002.420196088.0000000003101000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x694ed:$a1: NanoCore.ClientPluginHost 0x694b0:$a2: NanoCore.ClientPlugin 0x5adc7:$b1: get_BuilderSettings 0x69884:$b1: get_BuilderSettings 0x6953b:$b4: IClientAppHost 0x698f5:$b6: AddHostEntry 0x5ad36:$b7: LogClientException 0x69964:$b7: LogClientException 0x698d9:$b8: PipeExists 0x69528:$b9: IClientLoggingHost
Process Memory Space: outstanding statement.exe PID: 5916	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xa42a:$x1: NanoCore.ClientPluginHost 0xa467:$x2: IClientNetworkHost 0xdf58:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x18fde:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2f123:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: outstanding statement.exe PID: 5916	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x138af3:$s5: AEAAAAMAAQqVT 0x5b8c9:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0xd6c88:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0x115d2e:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0x138a64:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
Process Memory Space: outstanding statement.exe PID: 5916	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: outstanding statement.exe PID: 5916	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: outstanding statement.exe PID: 5916	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xa0f7:$a: NanoCore 0xa107:$a: NanoCore 0xa1c6:$a: NanoCore 0xa1d5:$a: NanoCore 0xa3d6:$a: NanoCore 0xa3ea:$a: NanoCore 0xa42a:$a: NanoCore 0x15648:$a: NanoCore 0x1565a:$a: NanoCore 0x15696:$a: NanoCore 0x2b78d:$a: NanoCore 0x2b79f:$a: NanoCore 0x2b7db:$a: NanoCore 0xa156:$b: ClientPlugin 0xa21f:$b: ClientPlugin 0xa3f3:$b: ClientPlugin 0xa433:$b: ClientPlugin 0x15663:$b: ClientPlugin 0x1569f:$b: ClientPlugin 0x2b7a8:$b: ClientPlugin 0x2b7e4:$b: ClientPlugin
Process Memory Space: outstanding statement.exe PID: 5916	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xa42a:$a1: NanoCore.ClientPluginHost 0xa3ea:$a2: NanoCore.ClientPlugin 0xc301:$b1: get_BuilderSettings 0xa1ab:$b2: ClientLoaderForm.resources 0xba21:$b3: PluginCommand 0xa41b:$b4: IClientAppHost 0x14854:$b5: GetBlockHash 0xc959:$b6: AddHostEntry 0x17a78:$b6: AddHostEntry 0x2dbbd:$b6: AddHostEntry 0x1064c:$b7: LogClientException 0x1b5b9:$b7: LogClientException 0x316fe:$b7: LogClientException 0xc8c6:$b8: PipeExists 0x179ec:$b8: PipeExists 0x2db31:$b8: PipeExists 0xa454:$b9: IClientLoggingHost
Process Memory Space: outstanding statement.exe PID: 5468	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1e499:$x1: NanoCore.ClientPluginHost 0xa23d1:$x1: NanoCore.ClientPluginHost 0xc6cb9:$x1: NanoCore.ClientPluginHost 0xd30f8:$x1: NanoCore.ClientPluginHost 0xd8d5e:$x1: NanoCore.ClientPluginHost 0xe9b7d:$x1: NanoCore.ClientPluginHost 0x1039aa:$x1: NanoCore.ClientPluginHost 0x117627:$x1: NanoCore.ClientPluginHost 0x11ef5c:$x1: NanoCore.ClientPluginHost 0x1622dc:$x1: NanoCore.ClientPluginHost 0x179d51:$x1: NanoCore.ClientPluginHost 0x182c67:$x1: NanoCore.ClientPluginHost 0x192c5b:$x1: NanoCore.ClientPluginHost 0x1ccef0:$x1: NanoCore.ClientPluginHost 0x1e5944:$x1: NanoCore.ClientPluginHost 0x222ca6:$x1: NanoCore.ClientPluginHost 0x22ecb7:$x1: NanoCore.ClientPluginHost 0x23b1fc:$x1: NanoCore.ClientPluginHost 0x1e4c3:$x2: IClientNetworkHost 0xa240e:$x2: IClientNetworkHost 0xc6cd3:$x2: IClientNetworkHost
Process Memory Space: outstanding statement.exe PID: 5468	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: outstanding statement.exe PID: 5468	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2b6e:$a: NanoCore 0x2f80:$a: NanoCore 0x48c7:$a: NanoCore 0x115a6:$a: NanoCore 0x11663:$a: NanoCore 0x11834:$a: NanoCore 0x118f5:$a: NanoCore 0x1e474:$a: NanoCore 0x1e499:$a: NanoCore 0x1e4f2:$a: NanoCore 0x21f8e:$a: NanoCore 0x21fb1:$a: NanoCore 0x22006:$a: NanoCore 0x2d0a3:$a: NanoCore 0x2d0c7:$a: NanoCore 0x2d11f:$a: NanoCore 0x34595:$a: NanoCore 0x345ee:$a: NanoCore 0x34614:$a: NanoCore 0x349aa:$a: NanoCore 0x349ee:$a: NanoCore
Process Memory Space: outstanding statement.exe PID: 5468	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1e499:$a1: NanoCore.ClientPluginHost 0xa23d1:$a1: NanoCore.ClientPluginHost 0xc6cb9:$a1: NanoCore.ClientPluginHost 0xd30f8:$a1: NanoCore.ClientPluginHost 0xd8d5e:$a1: NanoCore.ClientPluginHost 0xe9b7d:$a1: NanoCore.ClientPluginHost 0x1039aa:$a1: NanoCore.ClientPluginHost 0x117627:$a1: NanoCore.ClientPluginHost 0x11ef5c:$a1: NanoCore.ClientPluginHost 0x1622dc:$a1: NanoCore.ClientPluginHost 0x179d51:$a1: NanoCore.ClientPluginHost 0x182c67:$a1: NanoCore.ClientPluginHost 0x192c5b:$a1: NanoCore.ClientPluginHost 0x1ccef0:$a1: NanoCore.ClientPluginHost 0x1e5944:$a1: NanoCore.ClientPluginHost 0x222ca6:$a1: NanoCore.ClientPluginHost 0x22ecb7:$a1: NanoCore.ClientPluginHost 0x23b1fc:$a1: NanoCore.ClientPluginHost 0x1e474:$a2: NanoCore.ClientPlugin 0xa23ac:$a2: NanoCore.ClientPlugin 0xc6c90:$a2: NanoCore.ClientPlugin
Process Memory Space: outstanding statement.exe PID: 5832	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x11330:$s5: AEAAAAMAAQqVT 0x6fd9:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0x112a1:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
Process Memory Space: dhcpmon.exe PID: 3068	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x30b46:$s5: AEAAAAMAAQqVT 0x6ceb:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0x30ab7:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
Process Memory Space: dhcpmon.exe PID: 5728	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0xdcf:$s5: AEAAAAMAAQqVT 0xd40:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0x1fdae:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
Process Memory Space: outstanding statement.exe PID: 1276	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: outstanding statement.exe PID: 1276	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2566:$a: NanoCore 0x4f27:$a: NanoCore 0x4f80:$a: NanoCore 0x4fbd:$a: NanoCore 0x5036:$a: NanoCore 0x58ef:$a: NanoCore 0x5942:$a: NanoCore 0x597b:$a: NanoCore 0x59ee:$a: NanoCore 0xcfc0:$a: NanoCore 0xcfd3:$a: NanoCore 0xd005:$a: NanoCore 0x12ce8:$a: NanoCore 0x12cfb:$a: NanoCore 0x12d2d:$a: NanoCore 0x186f0:$a: NanoCore 0x1874c:$a: NanoCore 0x187c6:$a: NanoCore 0x2e034:$a: NanoCore 0x2e08d:$a: NanoCore 0x2e0ca:$a: NanoCore
Process Memory Space: outstanding statement.exe PID: 1276	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4fbd:$a1: NanoCore.ClientPluginHost 0x2e0ca:$a1: NanoCore.ClientPluginHost 0x4f80:$a2: NanoCore.ClientPlugin 0x2e08d:$a2: NanoCore.ClientPlugin 0x5337:$b1: get_BuilderSettings 0x2780d:$b1: get_BuilderSettings 0x500b:$b4: IClientAppHost 0x2e118:$b4: IClientAppHost 0x53a8:$b6: AddHostEntry 0x2e42b:$b6: AddHostEntry 0x5417:$b7: LogClientException 0x2777c:$b7: LogClientException 0x538c:$b8: PipeExists 0x2e40f:$b8: PipeExists 0x4ff8:$b9: IClientLoggingHost 0x2e105:$b9: IClientLoggingHost
Process Memory Space: dhcpmon.exe PID: 4008	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 4008	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x152e:$a: NanoCore 0x4d2f:$a: NanoCore 0x4d8b:$a: NanoCore 0x4e0b:$a: NanoCore 0x1a689:$a: NanoCore 0x1a6e2:$a: NanoCore 0x1a71f:$a: NanoCore 0x1a798:$a: NanoCore 0x1af26:$a: NanoCore 0x1af79:$a: NanoCore 0x1afb2:$a: NanoCore 0x1b025:$a: NanoCore 0x1bb76:$a: NanoCore 0x159d4:$b: ClientPlugin 0x15a15:$b: ClientPlugin 0x1a6eb:$b: ClientPlugin 0x1a728:$b: ClientPlugin 0x1aed6:$b: ClientPlugin 0x1aee3:$b: ClientPlugin 0x1af82:$b: ClientPlugin 0x1afbb:$b: ClientPlugin
Process Memory Space: dhcpmon.exe PID: 4008	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1a71f:$a1: NanoCore.ClientPluginHost 0x1a6e2:$a2: NanoCore.ClientPlugin 0x13e5c:$b1: get_BuilderSettings 0x1a76d:$b4: IClientAppHost 0x1aa80:$b6: AddHostEntry 0x13dcb:$b7: LogClientException 0x1aa64:$b8: PipeExists 0x1a75a:$b9: IClientLoggingHost
Click to see the 97 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.outstanding statement.exe.40fe5cf.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
3.2.outstanding statement.exe.40fe5cf.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a53c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost
3.2.outstanding statement.exe.40fe5cf.5.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1a513:$x2: NanoCore.ClientPlugin 0x1a53c:$x3: NanoCore.ClientPluginHost 0x1a504:$i3: IClientNetwork 0x1a529:$i6: IClientLoggingHost 0x1a556:$i7: IClientNetworkHost 0x1a569:$i8: IClientUIHost 0x1a273:$s1: ClientPlugin 0x1a51c:$s1: ClientPlugin
3.2.outstanding statement.exe.40fe5cf.5.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1a53c:$a1: NanoCore.ClientPluginHost 0x1a513:$a2: NanoCore.ClientPlugin 0x1f567:$b7: LogClientException 0x1a529:$b9: IClientLoggingHost
3.2.outstanding statement.exe.756e8a4.28.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
3.2.outstanding statement.exe.756e8a4.28.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x10937:$x2: NanoCore.ClientPluginHost 0x13c74:$s4: PipeCreated 0x10924:$s5: IClientLoggingHost
3.2.outstanding statement.exe.756e8a4.28.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1090e:$x2: NanoCore.ClientPlugin 0x10937:$x3: NanoCore.ClientPluginHost 0x108ff:$i3: IClientNetwork 0x10924:$i6: IClientLoggingHost 0x10951:$i7: IClientNetworkHost 0x10964:$i8: IClientUIHost 0x1066e:$s1: ClientPlugin 0x10917:$s1: ClientPlugin
3.2.outstanding statement.exe.756e8a4.28.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x10937:$a1: NanoCore.ClientPluginHost 0x1090e:$a2: NanoCore.ClientPlugin 0x15962:$b7: LogClientException 0x10924:$b9: IClientLoggingHost
3.2.outstanding statement.exe.7590000.30.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
3.2.outstanding statement.exe.7590000.30.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
3.2.outstanding statement.exe.7590000.30.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5fc9:$x2: NanoCore.ClientPlugin 0x5fee:$x3: NanoCore.ClientPluginHost 0x5fba:$i3: IClientNetwork 0x5fdf:$i4: IClientAppHost 0x6008:$i5: IClientDataHost 0x6018:$i6: IClientLoggingHost 0x602b:$i7: IClientNetworkHost 0x603e:$i8: IClientUIHost 0x604c:$i9: IClientNameObjectCollection 0x5d70:$s1: ClientPlugin 0x5fd2:$s1: ClientPlugin
3.2.outstanding statement.exe.7590000.30.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5fee:$a1: NanoCore.ClientPluginHost 0x5fc9:$a2: NanoCore.ClientPlugin 0x5fdf:$b4: IClientAppHost 0xa4ce:$b7: LogClientException 0x6018:$b9: IClientLoggingHost
3.2.outstanding statement.exe.7520000.25.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost
3.2.outstanding statement.exe.7520000.25.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3d99:$x2: NanoCore.ClientPluginHost 0x4dce:$s4: PipeCreated 0x3d86:$s5: IClientLoggingHost
3.2.outstanding statement.exe.7520000.25.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3d70:$x2: NanoCore.ClientPlugin 0x3d99:$x3: NanoCore.ClientPluginHost 0x3d61:$i3: IClientNetwork 0x3d86:$i6: IClientLoggingHost 0x3db3:$i7: IClientNetworkHost 0x3bd4:$s1: ClientPlugin 0x3d79:$s1: ClientPlugin 0x4084:$s2: EndPoint 0x408d:$s3: IPAddress 0x4097:$s4: IPEndPoint
3.2.outstanding statement.exe.7520000.25.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3d99:$a1: NanoCore.ClientPluginHost 0x3d70:$a2: NanoCore.ClientPlugin 0x3d86:$b9: IClientLoggingHost
0.2.outstanding statement.exe.3d387b8.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.outstanding statement.exe.3d387b8.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.outstanding statement.exe.3d387b8.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.outstanding statement.exe.3d387b8.2.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.outstanding statement.exe.3d387b8.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.outstanding statement.exe.3d387b8.2.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
29.2.outstanding statement.exe.4150614.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
29.2.outstanding statement.exe.4150614.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
29.2.outstanding statement.exe.4150614.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
29.2.outstanding statement.exe.4150614.3.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
29.2.outstanding statement.exe.4150614.3.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
3.2.outstanding statement.exe.7520000.25.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
3.2.outstanding statement.exe.7520000.25.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
3.2.outstanding statement.exe.7520000.25.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b70:$x2: NanoCore.ClientPlugin 0x5b99:$x3: NanoCore.ClientPluginHost 0x5b61:$i3: IClientNetwork 0x5b86:$i6: IClientLoggingHost 0x5bb3:$i7: IClientNetworkHost 0x59d4:$s1: ClientPlugin 0x5b79:$s1: ClientPlugin 0x5e84:$s2: EndPoint 0x5e8d:$s3: IPAddress 0x5e97:$s4: IPEndPoint
3.2.outstanding statement.exe.7520000.25.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b99:$a1: NanoCore.ClientPluginHost 0x5b70:$a2: NanoCore.ClientPlugin 0x5b86:$b9: IClientLoggingHost
3.2.outstanding statement.exe.7540000.26.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
3.2.outstanding statement.exe.7540000.26.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
3.2.outstanding statement.exe.7540000.26.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x34e2:$x2: NanoCore.ClientPlugin 0x350b:$x3: NanoCore.ClientPluginHost 0x34d3:$i3: IClientNetwork 0x34f8:$i6: IClientLoggingHost 0x3525:$i7: IClientNetworkHost 0x334e:$s1: ClientPlugin 0x34eb:$s1: ClientPlugin
3.2.outstanding statement.exe.7540000.26.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x350b:$a1: NanoCore.ClientPluginHost 0x34e2:$a2: NanoCore.ClientPlugin 0x5854:$b7: LogClientException 0x34f8:$b9: IClientLoggingHost
3.2.outstanding statement.exe.73a0000.21.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x605:$x1: NanoCore.ClientPluginHost 0x63e:$x2: IClientNetworkHost
3.2.outstanding statement.exe.73a0000.21.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x605:$x2: NanoCore.ClientPluginHost 0x720:$s4: PipeCreated 0x61f:$s5: IClientLoggingHost
3.2.outstanding statement.exe.73a0000.21.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x67f:$x2: NanoCore.ClientPlugin 0x605:$x3: NanoCore.ClientPluginHost 0x695:$i3: IClientNetwork 0x61f:$i6: IClientLoggingHost 0x63e:$i7: IClientNetworkHost 0x688:$s1: ClientPlugin
3.2.outstanding statement.exe.73a0000.21.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x605:$a1: NanoCore.ClientPluginHost 0x67f:$a2: NanoCore.ClientPlugin 0xda0:$b7: LogClientException 0x61f:$b9: IClientLoggingHost
3.2.outstanding statement.exe.5a40000.14.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
3.2.outstanding statement.exe.5a40000.14.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
3.2.outstanding statement.exe.5a40000.14.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
3.2.outstanding statement.exe.5a40000.14.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
3.2.outstanding statement.exe.7590000.30.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x41ee:$x1: NanoCore.ClientPluginHost 0x422b:$x2: IClientNetworkHost
3.2.outstanding statement.exe.7590000.30.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x41ee:$x2: NanoCore.ClientPluginHost 0x7641:$s4: PipeCreated 0x4218:$s5: IClientLoggingHost
3.2.outstanding statement.exe.7590000.30.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x41c9:$x2: NanoCore.ClientPlugin 0x41ee:$x3: NanoCore.ClientPluginHost 0x41ba:$i3: IClientNetwork 0x41df:$i4: IClientAppHost 0x4208:$i5: IClientDataHost 0x4218:$i6: IClientLoggingHost 0x422b:$i7: IClientNetworkHost 0x423e:$i8: IClientUIHost 0x424c:$i9: IClientNameObjectCollection 0x3f70:$s1: ClientPlugin 0x41d2:$s1: ClientPlugin
3.2.outstanding statement.exe.7590000.30.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x41ee:$a1: NanoCore.ClientPluginHost 0x41c9:$a2: NanoCore.ClientPlugin 0x41df:$b4: IClientAppHost 0x86ce:$b7: LogClientException 0x4218:$b9: IClientLoggingHost
3.2.outstanding statement.exe.6aa0000.17.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
3.2.outstanding statement.exe.6aa0000.17.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
3.2.outstanding statement.exe.6aa0000.17.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x4b87:$i3: IClientNetwork 0x4bac:$i4: IClientAppHost 0x4bd5:$i5: IClientDataHost 0x4be5:$i7: IClientNetworkHost 0x4bf8:$i9: IClientNameObjectCollection 0x4c1d:$i10: IClientReadOnlyNameObjectCollection 0x49ce:$s1: ClientPlugin 0x4b9f:$s1: ClientPlugin
3.2.outstanding statement.exe.6aa0000.17.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x4b96:$a2: NanoCore.ClientPlugin 0x8558:$b1: get_BuilderSettings 0x4bac:$b4: IClientAppHost
3.2.outstanding statement.exe.73d0000.24.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
3.2.outstanding statement.exe.73d0000.24.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
3.2.outstanding statement.exe.73d0000.24.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3a8b:$x2: NanoCore.ClientPlugin 0x39eb:$x3: NanoCore.ClientPluginHost 0x3aa1:$i3: IClientNetwork 0x3a43:$i5: IClientDataHost 0x3a05:$i6: IClientLoggingHost 0x3a24:$i7: IClientNetworkHost 0x426c:$i9: IClientNameObjectCollection 0x3741:$s1: ClientPlugin 0x3a94:$s1: ClientPlugin 0x4680:$s2: EndPoint 0x4371:$s3: IPAddress 0x3c83:$s4: IPEndPoint 0x43a3:$s7: get_Connected
3.2.outstanding statement.exe.73d0000.24.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x39eb:$a1: NanoCore.ClientPluginHost 0x3a8b:$a2: NanoCore.ClientPlugin 0x47e1:$b7: LogClientException 0x3a05:$b9: IClientLoggingHost
3.2.outstanding statement.exe.7230000.19.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
3.2.outstanding statement.exe.7230000.19.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
3.2.outstanding statement.exe.7230000.19.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0x1775:$i3: IClientNetwork 0x16fd:$i6: IClientLoggingHost 0x171c:$i7: IClientNetworkHost 0x1491:$s1: ClientPlugin 0x1768:$s1: ClientPlugin
3.2.outstanding statement.exe.7230000.19.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x16e3:$a1: NanoCore.ClientPluginHost 0x175f:$a2: NanoCore.ClientPlugin 0x16fd:$b9: IClientLoggingHost
3.2.outstanding statement.exe.73c0000.23.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3deb:$x1: NanoCore.ClientPluginHost 0x3f48:$x2: IClientNetworkHost
3.2.outstanding statement.exe.73c0000.23.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3deb:$x2: NanoCore.ClientPluginHost 0x4d41:$s3: PipeExists 0x3fe1:$s4: PipeCreated 0x3e05:$s5: IClientLoggingHost
3.2.outstanding statement.exe.73c0000.23.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3ed5:$x2: NanoCore.ClientPlugin 0x3deb:$x3: NanoCore.ClientPluginHost 0x3eeb:$i3: IClientNetwork 0x3e24:$i5: IClientDataHost 0x3e05:$i6: IClientLoggingHost 0x3f48:$i7: IClientNetworkHost 0x3e43:$i8: IClientUIHost 0x4d55:$i9: IClientNameObjectCollection 0x38fc:$s1: ClientPlugin 0x3ede:$s1: ClientPlugin 0x4d71:$s6: get_ClientSettings
3.2.outstanding statement.exe.73c0000.23.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3deb:$a1: NanoCore.ClientPluginHost 0x3ed5:$a2: NanoCore.ClientPlugin 0x572e:$b7: LogClientException 0x4d41:$b8: PipeExists 0x3e05:$b9: IClientLoggingHost
3.0.outstanding statement.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.0.outstanding statement.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
3.0.outstanding statement.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.0.outstanding statement.exe.400000.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
3.0.outstanding statement.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
3.0.outstanding statement.exe.400000.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
3.2.outstanding statement.exe.5a50000.16.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
3.2.outstanding statement.exe.5a50000.16.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
3.2.outstanding statement.exe.5a50000.16.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.outstanding statement.exe.5a50000.16.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
3.2.outstanding statement.exe.5a50000.16.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
3.2.outstanding statement.exe.427bc75.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
3.2.outstanding statement.exe.427bc75.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
3.2.outstanding statement.exe.427bc75.8.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x6d7f:$x2: NanoCore.ClientPlugin 0x6da5:$x3: NanoCore.ClientPluginHost 0x6d70:$i3: IClientNetwork 0x6d95:$i5: IClientDataHost 0x6dbf:$i6: IClientLoggingHost 0x6dd2:$i7: IClientNetworkHost 0x6de5:$i9: IClientNameObjectCollection 0x6b02:$s1: ClientPlugin 0x6d88:$s1: ClientPlugin
3.2.outstanding statement.exe.427bc75.8.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6da5:$a1: NanoCore.ClientPluginHost 0x6d7f:$a2: NanoCore.ClientPlugin 0x6dbf:$b9: IClientLoggingHost
32.2.dhcpmon.exe.2ed965c.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
32.2.dhcpmon.exe.2ed965c.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
32.2.dhcpmon.exe.2ed965c.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
32.2.dhcpmon.exe.2ed965c.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
29.2.outstanding statement.exe.4150614.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28799:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287c6:$x2: IClientNetworkHost
29.2.outstanding statement.exe.4150614.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28799:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29874:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287b3:$s5: IClientLoggingHost
29.2.outstanding statement.exe.4150614.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
29.2.outstanding statement.exe.4150614.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0x28764:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0x28799:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0x28758:$i2: IClientData 0xf78e:$i3: IClientNetwork 0x2877a:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0x28789:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0x287b3:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0x287c6:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0x287d9:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0x287e7:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0x28803:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin
29.2.outstanding statement.exe.4150614.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0x28799:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x28764:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x2d6df:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0x2d64e:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost 0x287b3:$b9: IClientLoggingHost
3.2.outstanding statement.exe.443a63f.11.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
3.2.outstanding statement.exe.443a63f.11.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
3.2.outstanding statement.exe.443a63f.11.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1e8b:$x2: NanoCore.ClientPlugin 0x1deb:$x3: NanoCore.ClientPluginHost 0x1ea1:$i3: IClientNetwork 0x1e43:$i5: IClientDataHost 0x1e05:$i6: IClientLoggingHost 0x1e24:$i7: IClientNetworkHost 0x266c:$i9: IClientNameObjectCollection 0x1b41:$s1: ClientPlugin 0x1e94:$s1: ClientPlugin 0x2a80:$s2: EndPoint 0x2771:$s3: IPAddress 0x2083:$s4: IPEndPoint 0x27a3:$s7: get_Connected
3.2.outstanding statement.exe.443a63f.11.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1deb:$a1: NanoCore.ClientPluginHost 0x1e8b:$a2: NanoCore.ClientPlugin 0x2be1:$b7: LogClientException 0x1e05:$b9: IClientLoggingHost
3.2.outstanding statement.exe.73a0000.21.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
3.2.outstanding statement.exe.73a0000.21.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
3.2.outstanding statement.exe.73a0000.21.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x227f:$x2: NanoCore.ClientPlugin 0x2205:$x3: NanoCore.ClientPluginHost 0x2295:$i3: IClientNetwork 0x221f:$i6: IClientLoggingHost 0x223e:$i7: IClientNetworkHost 0x1f9f:$s1: ClientPlugin 0x2288:$s1: ClientPlugin
3.2.outstanding statement.exe.73a0000.21.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2205:$a1: NanoCore.ClientPluginHost 0x227f:$a2: NanoCore.ClientPlugin 0x29a0:$b7: LogClientException 0x221f:$b9: IClientLoggingHost
3.2.outstanding statement.exe.7200000.18.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
3.2.outstanding statement.exe.7200000.18.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
3.2.outstanding statement.exe.7200000.18.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x8b70:$i3: IClientNetwork 0x8b95:$i5: IClientDataHost 0x8bbf:$i6: IClientLoggingHost 0x8bd2:$i7: IClientNetworkHost 0x8be5:$i9: IClientNameObjectCollection 0x8902:$s1: ClientPlugin 0x8b88:$s1: ClientPlugin
3.2.outstanding statement.exe.7200000.18.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x8bbf:$b9: IClientLoggingHost
3.2.outstanding statement.exe.7390000.20.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
3.2.outstanding statement.exe.7390000.20.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
3.2.outstanding statement.exe.7390000.20.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b87:$x2: NanoCore.ClientPlugin 0x5b0b:$x3: NanoCore.ClientPluginHost 0x5b9d:$i3: IClientNetwork 0x5b25:$i6: IClientLoggingHost 0x5b44:$i7: IClientNetworkHost 0x57fb:$s1: ClientPlugin 0x5b90:$s1: ClientPlugin 0x6cf4:$s3: IPAddress
3.2.outstanding statement.exe.7390000.20.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b0b:$a1: NanoCore.ClientPluginHost 0x5b87:$a2: NanoCore.ClientPlugin 0x6710:$b7: LogClientException 0x5b25:$b9: IClientLoggingHost
3.2.outstanding statement.exe.426fa41.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
3.2.outstanding statement.exe.426fa41.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
3.2.outstanding statement.exe.426fa41.7.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2d96:$x2: NanoCore.ClientPlugin 0x2dbb:$x3: NanoCore.ClientPluginHost 0x2d87:$i3: IClientNetwork 0x2dac:$i4: IClientAppHost 0x2dd5:$i5: IClientDataHost 0x2de5:$i7: IClientNetworkHost 0x2df8:$i9: IClientNameObjectCollection 0x2e1d:$i10: IClientReadOnlyNameObjectCollection 0x2bce:$s1: ClientPlugin 0x2d9f:$s1: ClientPlugin
3.2.outstanding statement.exe.426fa41.7.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2dbb:$a1: NanoCore.ClientPluginHost 0x2d96:$a2: NanoCore.ClientPlugin 0x6758:$b1: get_BuilderSettings 0x2dac:$b4: IClientAppHost
29.2.outstanding statement.exe.414b7de.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5cf:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d5fc:$x2: IClientNetworkHost
29.2.outstanding statement.exe.414b7de.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5cf:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6aa:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5e9:$s5: IClientLoggingHost
29.2.outstanding statement.exe.414b7de.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
29.2.outstanding statement.exe.414b7de.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x145ae:$x2: NanoCore.ClientPlugin 0x2d59a:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x145e3:$x3: NanoCore.ClientPluginHost 0x2d5cf:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0x145a2:$i2: IClientData 0x2d58e:$i2: IClientData 0xe29:$i3: IClientNetwork 0x145c4:$i3: IClientNetwork 0x2d5b0:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0x145d3:$i5: IClientDataHost 0x2d5bf:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0x145fd:$i6: IClientLoggingHost 0x2d5e9:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost
29.2.outstanding statement.exe.414b7de.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d585:$a: NanoCore 0x2d59a:$a: NanoCore 0x2d5cf:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d341:$b: ClientPlugin 0x2d35c:$b: ClientPlugin
29.2.outstanding statement.exe.414b7de.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0x145e3:$a1: NanoCore.ClientPluginHost 0x2d5cf:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x145ae:$a2: NanoCore.ClientPlugin 0x2d59a:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0x19529:$b1: get_BuilderSettings 0x32515:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x19498:$b7: LogClientException 0x32484:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost 0x145fd:$b9: IClientLoggingHost 0x2d5e9:$b9: IClientLoggingHost
3.2.outstanding statement.exe.7564c9f.29.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
3.2.outstanding statement.exe.7564c9f.29.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a53c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost
3.2.outstanding statement.exe.7564c9f.29.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1a513:$x2: NanoCore.ClientPlugin 0x1a53c:$x3: NanoCore.ClientPluginHost 0x1a504:$i3: IClientNetwork 0x1a529:$i6: IClientLoggingHost 0x1a556:$i7: IClientNetworkHost 0x1a569:$i8: IClientUIHost 0x1a273:$s1: ClientPlugin 0x1a51c:$s1: ClientPlugin
3.2.outstanding statement.exe.7564c9f.29.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1a53c:$a1: NanoCore.ClientPluginHost 0x1a513:$a2: NanoCore.ClientPlugin 0x1f567:$b7: LogClientException 0x1a529:$b9: IClientLoggingHost
3.2.outstanding statement.exe.7560000.27.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
3.2.outstanding statement.exe.7560000.27.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
3.2.outstanding statement.exe.7560000.27.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1f1b2:$x2: NanoCore.ClientPlugin 0x1f1db:$x3: NanoCore.ClientPluginHost 0x1f1a3:$i3: IClientNetwork 0x1f1c8:$i6: IClientLoggingHost 0x1f1f5:$i7: IClientNetworkHost 0x1f208:$i8: IClientUIHost 0x1ef12:$s1: ClientPlugin 0x1f1bb:$s1: ClientPlugin
3.2.outstanding statement.exe.7560000.27.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1f1db:$a1: NanoCore.ClientPluginHost 0x1f1b2:$a2: NanoCore.ClientPlugin 0x24206:$b7: LogClientException 0x1f1c8:$b9: IClientLoggingHost
29.2.outstanding statement.exe.4154c3d.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24170:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x2419d:$x2: IClientNetworkHost
29.2.outstanding statement.exe.4154c3d.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24170:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2524b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x2418a:$s5: IClientLoggingHost
29.2.outstanding statement.exe.4154c3d.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
29.2.outstanding statement.exe.4154c3d.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0x2413b:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0x24170:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0x2412f:$i2: IClientData 0xb165:$i3: IClientNetwork 0x24151:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0x24160:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0x2418a:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0x2419d:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0x241b0:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0x241be:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0x241da:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin
29.2.outstanding statement.exe.4154c3d.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0x24170:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x2413b:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x290b6:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0x29025:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost 0x2418a:$b9: IClientLoggingHost
3.2.outstanding statement.exe.5a50000.16.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
3.2.outstanding statement.exe.5a50000.16.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
3.2.outstanding statement.exe.5a50000.16.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.outstanding statement.exe.5a50000.16.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
3.2.outstanding statement.exe.5a50000.16.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
3.2.outstanding statement.exe.317d75c.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
3.2.outstanding statement.exe.317d75c.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
3.2.outstanding statement.exe.317d75c.2.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2d96:$x2: NanoCore.ClientPlugin 0x2dbb:$x3: NanoCore.ClientPluginHost 0x2d87:$i3: IClientNetwork 0x2dac:$i4: IClientAppHost 0x2dd5:$i5: IClientDataHost 0x2de5:$i7: IClientNetworkHost 0x2df8:$i9: IClientNameObjectCollection 0x2e1d:$i10: IClientReadOnlyNameObjectCollection 0x2bce:$s1: ClientPlugin 0x2d9f:$s1: ClientPlugin
3.2.outstanding statement.exe.317d75c.2.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2dbb:$a1: NanoCore.ClientPluginHost 0x2d96:$a2: NanoCore.ClientPlugin 0x6758:$b1: get_BuilderSettings 0x2dac:$b4: IClientAppHost
3.2.outstanding statement.exe.73d0000.24.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
3.2.outstanding statement.exe.73d0000.24.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
3.2.outstanding statement.exe.73d0000.24.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1e8b:$x2: NanoCore.ClientPlugin 0x1deb:$x3: NanoCore.ClientPluginHost 0x1ea1:$i3: IClientNetwork 0x1e43:$i5: IClientDataHost 0x1e05:$i6: IClientLoggingHost 0x1e24:$i7: IClientNetworkHost 0x266c:$i9: IClientNameObjectCollection 0x1b41:$s1: ClientPlugin 0x1e94:$s1: ClientPlugin 0x2a80:$s2: EndPoint 0x2771:$s3: IPAddress 0x2083:$s4: IPEndPoint 0x27a3:$s7: get_Connected
3.2.outstanding statement.exe.73d0000.24.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1deb:$a1: NanoCore.ClientPluginHost 0x1e8b:$a2: NanoCore.ClientPlugin 0x2be1:$b7: LogClientException 0x1e05:$b9: IClientLoggingHost
3.2.outstanding statement.exe.445189e.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
3.2.outstanding statement.exe.445189e.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
3.2.outstanding statement.exe.445189e.10.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x16e2:$x2: NanoCore.ClientPlugin 0x170b:$x3: NanoCore.ClientPluginHost 0x16d3:$i3: IClientNetwork 0x16f8:$i6: IClientLoggingHost 0x1725:$i7: IClientNetworkHost 0x154e:$s1: ClientPlugin 0x16eb:$s1: ClientPlugin
3.2.outstanding statement.exe.445189e.10.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x170b:$a1: NanoCore.ClientPluginHost 0x16e2:$a2: NanoCore.ClientPlugin 0x3a54:$b7: LogClientException 0x16f8:$b9: IClientLoggingHost
3.2.outstanding statement.exe.41081d4.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
3.2.outstanding statement.exe.41081d4.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x10937:$x2: NanoCore.ClientPluginHost 0x13c74:$s4: PipeCreated 0x10924:$s5: IClientLoggingHost
3.2.outstanding statement.exe.41081d4.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1090e:$x2: NanoCore.ClientPlugin 0x10937:$x3: NanoCore.ClientPluginHost 0x108ff:$i3: IClientNetwork 0x10924:$i6: IClientLoggingHost 0x10951:$i7: IClientNetworkHost 0x10964:$i8: IClientUIHost 0x1066e:$s1: ClientPlugin 0x10917:$s1: ClientPlugin
3.2.outstanding statement.exe.41081d4.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x10937:$a1: NanoCore.ClientPluginHost 0x1090e:$a2: NanoCore.ClientPlugin 0x15962:$b7: LogClientException 0x10924:$b9: IClientLoggingHost
3.2.outstanding statement.exe.7540000.26.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
3.2.outstanding statement.exe.7540000.26.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
3.2.outstanding statement.exe.7540000.26.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x16e2:$x2: NanoCore.ClientPlugin 0x170b:$x3: NanoCore.ClientPluginHost 0x16d3:$i3: IClientNetwork 0x16f8:$i6: IClientLoggingHost 0x1725:$i7: IClientNetworkHost 0x154e:$s1: ClientPlugin 0x16eb:$s1: ClientPlugin
3.2.outstanding statement.exe.7540000.26.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x170b:$a1: NanoCore.ClientPluginHost 0x16e2:$a2: NanoCore.ClientPlugin 0x3a54:$b7: LogClientException 0x16f8:$b9: IClientLoggingHost
3.2.outstanding statement.exe.7390000.20.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3f0b:$x1: NanoCore.ClientPluginHost 0x3f44:$x2: IClientNetworkHost
3.2.outstanding statement.exe.7390000.20.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3f0b:$x2: NanoCore.ClientPluginHost 0x400f:$s4: PipeCreated 0x3f25:$s5: IClientLoggingHost
3.2.outstanding statement.exe.7390000.20.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3f87:$x2: NanoCore.ClientPlugin 0x3f0b:$x3: NanoCore.ClientPluginHost 0x3f9d:$i3: IClientNetwork 0x3f25:$i6: IClientLoggingHost 0x3f44:$i7: IClientNetworkHost 0x3bfb:$s1: ClientPlugin 0x3f90:$s1: ClientPlugin 0x50f4:$s3: IPAddress
3.2.outstanding statement.exe.7390000.20.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3f0b:$a1: NanoCore.ClientPluginHost 0x3f87:$a2: NanoCore.ClientPlugin 0x4b10:$b7: LogClientException 0x3f25:$b9: IClientLoggingHost
3.2.outstanding statement.exe.7560000.27.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
3.2.outstanding statement.exe.7560000.27.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
3.2.outstanding statement.exe.7560000.27.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1d3b2:$x2: NanoCore.ClientPlugin 0x1d3db:$x3: NanoCore.ClientPluginHost 0x1d3a3:$i3: IClientNetwork 0x1d3c8:$i6: IClientLoggingHost 0x1d3f5:$i7: IClientNetworkHost 0x1d408:$i8: IClientUIHost 0x1d112:$s1: ClientPlugin 0x1d3bb:$s1: ClientPlugin
3.2.outstanding statement.exe.7560000.27.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1d3db:$a1: NanoCore.ClientPluginHost 0x1d3b2:$a2: NanoCore.ClientPlugin 0x22406:$b7: LogClientException 0x1d3c8:$b9: IClientLoggingHost
3.2.outstanding statement.exe.6aa0000.17.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
3.2.outstanding statement.exe.6aa0000.17.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
3.2.outstanding statement.exe.6aa0000.17.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2d96:$x2: NanoCore.ClientPlugin 0x2dbb:$x3: NanoCore.ClientPluginHost 0x2d87:$i3: IClientNetwork 0x2dac:$i4: IClientAppHost 0x2dd5:$i5: IClientDataHost 0x2de5:$i7: IClientNetworkHost 0x2df8:$i9: IClientNameObjectCollection 0x2e1d:$i10: IClientReadOnlyNameObjectCollection 0x2bce:$s1: ClientPlugin 0x2d9f:$s1: ClientPlugin
3.2.outstanding statement.exe.6aa0000.17.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2dbb:$a1: NanoCore.ClientPluginHost 0x2d96:$a2: NanoCore.ClientPlugin 0x6758:$b1: get_BuilderSettings 0x2dac:$b4: IClientAppHost
3.2.outstanding statement.exe.318afc0.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
3.2.outstanding statement.exe.318afc0.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
3.2.outstanding statement.exe.318afc0.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x6d7f:$x2: NanoCore.ClientPlugin 0x6da5:$x3: NanoCore.ClientPluginHost 0x6d70:$i3: IClientNetwork 0x6d95:$i5: IClientDataHost 0x6dbf:$i6: IClientLoggingHost 0x6dd2:$i7: IClientNetworkHost 0x6de5:$i9: IClientNameObjectCollection 0x6b02:$s1: ClientPlugin 0x6d88:$s1: ClientPlugin
3.2.outstanding statement.exe.318afc0.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6da5:$a1: NanoCore.ClientPluginHost 0x6d7f:$a2: NanoCore.ClientPlugin 0x6dbf:$b9: IClientLoggingHost
3.2.outstanding statement.exe.73c0000.23.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
3.2.outstanding statement.exe.73c0000.23.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
3.2.outstanding statement.exe.73c0000.23.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5ad5:$x2: NanoCore.ClientPlugin 0x59eb:$x3: NanoCore.ClientPluginHost 0x5aeb:$i3: IClientNetwork 0x5a24:$i5: IClientDataHost 0x5a05:$i6: IClientLoggingHost 0x5b48:$i7: IClientNetworkHost 0x5a43:$i8: IClientUIHost 0x6955:$i9: IClientNameObjectCollection 0x54fc:$s1: ClientPlugin 0x5ade:$s1: ClientPlugin 0x6971:$s6: get_ClientSettings
3.2.outstanding statement.exe.73c0000.23.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x59eb:$a1: NanoCore.ClientPluginHost 0x5ad5:$a2: NanoCore.ClientPlugin 0x732e:$b7: LogClientException 0x6941:$b8: PipeExists 0x5a05:$b9: IClientLoggingHost
3.2.outstanding statement.exe.5a54629.15.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
3.2.outstanding statement.exe.5a54629.15.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
3.2.outstanding statement.exe.5a54629.15.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.outstanding statement.exe.5a54629.15.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0xb165:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin 0xb158:$s1: ClientPlugin 0x10179:$s6: get_ClientSettings
3.2.outstanding statement.exe.5a54629.15.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost
29.2.outstanding statement.exe.3169678.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
29.2.outstanding statement.exe.3169678.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
29.2.outstanding statement.exe.3169678.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
29.2.outstanding statement.exe.3169678.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
3.2.outstanding statement.exe.73b0000.22.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
3.2.outstanding statement.exe.73b0000.22.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
3.2.outstanding statement.exe.73b0000.22.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x13f2:$x2: NanoCore.ClientPlugin 0x13a8:$x3: NanoCore.ClientPluginHost 0x1408:$i3: IClientNetwork 0x13c2:$i6: IClientLoggingHost 0x1185:$s1: ClientPlugin 0x13fb:$s1: ClientPlugin
3.2.outstanding statement.exe.73b0000.22.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x13a8:$a1: NanoCore.ClientPluginHost 0x13f2:$a2: NanoCore.ClientPlugin 0x13c2:$b9: IClientLoggingHost
3.2.outstanding statement.exe.7200000.18.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
3.2.outstanding statement.exe.7200000.18.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
3.2.outstanding statement.exe.7200000.18.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x6d7f:$x2: NanoCore.ClientPlugin 0x6da5:$x3: NanoCore.ClientPluginHost 0x6d70:$i3: IClientNetwork 0x6d95:$i5: IClientDataHost 0x6dbf:$i6: IClientLoggingHost 0x6dd2:$i7: IClientNetworkHost 0x6de5:$i9: IClientNameObjectCollection 0x6b02:$s1: ClientPlugin 0x6d88:$s1: ClientPlugin
3.2.outstanding statement.exe.7200000.18.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6da5:$a1: NanoCore.ClientPluginHost 0x6d7f:$a2: NanoCore.ClientPlugin 0x6dbf:$b9: IClientLoggingHost
3.2.outstanding statement.exe.318afc0.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d53:$x1: NanoCore.ClientPluginHost 0x1fbe7:$x1: NanoCore.ClientPluginHost 0x27b51:$x1: NanoCore.ClientPluginHost 0x2db68:$x1: NanoCore.ClientPluginHost 0x37617:$x1: NanoCore.ClientPluginHost 0x41a87:$x1: NanoCore.ClientPluginHost 0x4caad:$x1: NanoCore.ClientPluginHost 0x58897:$x1: NanoCore.ClientPluginHost 0x64656:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d8c:$x2: IClientNetworkHost 0x1fc20:$x2: IClientNetworkHost 0x27b8a:$x2: IClientNetworkHost 0x37774:$x2: IClientNetworkHost 0x41ac0:$x2: IClientNetworkHost 0x4cac7:$x2: IClientNetworkHost 0x588b1:$x2: IClientNetworkHost 0x64693:$x2: IClientNetworkHost
3.2.outstanding statement.exe.318afc0.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x15dcf:$x2: NanoCore.ClientPlugin 0x1fc63:$x2: NanoCore.ClientPlugin 0x27bcb:$x2: NanoCore.ClientPlugin 0x2dbb2:$x2: NanoCore.ClientPlugin 0x37701:$x2: NanoCore.ClientPlugin 0x41b27:$x2: NanoCore.ClientPlugin 0x4ca84:$x2: NanoCore.ClientPlugin 0x5886e:$x2: NanoCore.ClientPlugin 0x64631:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x15d53:$x3: NanoCore.ClientPluginHost 0x1fbe7:$x3: NanoCore.ClientPluginHost 0x27b51:$x3: NanoCore.ClientPluginHost 0x2db68:$x3: NanoCore.ClientPluginHost 0x37617:$x3: NanoCore.ClientPluginHost 0x41a87:$x3: NanoCore.ClientPluginHost 0x4caad:$x3: NanoCore.ClientPluginHost 0x58897:$x3: NanoCore.ClientPluginHost 0x64656:$x3: NanoCore.ClientPluginHost 0x8b70:$i3: IClientNetwork
3.2.outstanding statement.exe.318afc0.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a9b:$a: NanoCore 0x15af4:$a: NanoCore 0x15b27:$a: NanoCore 0x15d53:$a: NanoCore 0x15dcf:$a: NanoCore 0x163e8:$a: NanoCore 0x16531:$a: NanoCore 0x16a05:$a: NanoCore 0x16cec:$a: NanoCore 0x16d03:$a: NanoCore 0x1fbe7:$a: NanoCore 0x1fc63:$a: NanoCore 0x22546:$a: NanoCore 0x27b51:$a: NanoCore 0x27bcb:$a: NanoCore 0x2db68:$a: NanoCore 0x2dbb2:$a: NanoCore 0x2e80c:$a: NanoCore
3.2.outstanding statement.exe.318afc0.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x15d53:$a1: NanoCore.ClientPluginHost 0x1fbe7:$a1: NanoCore.ClientPluginHost 0x27b51:$a1: NanoCore.ClientPluginHost 0x2db68:$a1: NanoCore.ClientPluginHost 0x37617:$a1: NanoCore.ClientPluginHost 0x41a87:$a1: NanoCore.ClientPluginHost 0x4caad:$a1: NanoCore.ClientPluginHost 0x58897:$a1: NanoCore.ClientPluginHost 0x64656:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x15dcf:$a2: NanoCore.ClientPlugin 0x1fc63:$a2: NanoCore.ClientPlugin 0x27bcb:$a2: NanoCore.ClientPlugin 0x2dbb2:$a2: NanoCore.ClientPlugin 0x37701:$a2: NanoCore.ClientPlugin 0x41b27:$a2: NanoCore.ClientPlugin 0x4ca84:$a2: NanoCore.ClientPlugin 0x5886e:$a2: NanoCore.ClientPlugin 0x64631:$a2: NanoCore.ClientPlugin 0x64647:$b4: IClientAppHost
3.2.outstanding statement.exe.40f9930.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
3.2.outstanding statement.exe.40f9930.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
3.2.outstanding statement.exe.40f9930.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1f1b2:$x2: NanoCore.ClientPlugin 0x1f1db:$x3: NanoCore.ClientPluginHost 0x1f1a3:$i3: IClientNetwork 0x1f1c8:$i6: IClientLoggingHost 0x1f1f5:$i7: IClientNetworkHost 0x1f208:$i8: IClientUIHost 0x1ef12:$s1: ClientPlugin 0x1f1bb:$s1: ClientPlugin
3.2.outstanding statement.exe.40f9930.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1f1db:$a1: NanoCore.ClientPluginHost 0x1f1b2:$a2: NanoCore.ClientPlugin 0x24206:$b7: LogClientException 0x1f1c8:$b9: IClientLoggingHost
3.2.outstanding statement.exe.40f9930.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
3.2.outstanding statement.exe.40f9930.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
3.2.outstanding statement.exe.40f9930.3.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1d3b2:$x2: NanoCore.ClientPlugin 0x1d3db:$x3: NanoCore.ClientPluginHost 0x1d3a3:$i3: IClientNetwork 0x1d3c8:$i6: IClientLoggingHost 0x1d3f5:$i7: IClientNetworkHost 0x1d408:$i8: IClientUIHost 0x1d112:$s1: ClientPlugin 0x1d3bb:$s1: ClientPlugin
3.2.outstanding statement.exe.40f9930.3.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1d3db:$a1: NanoCore.ClientPluginHost 0x1d3b2:$a2: NanoCore.ClientPlugin 0x22406:$b7: LogClientException 0x1d3c8:$b9: IClientLoggingHost
3.2.outstanding statement.exe.444346e.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0xcd3b:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost 0xcd55:$x2: IClientNetworkHost
3.2.outstanding statement.exe.444346e.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3d99:$x2: NanoCore.ClientPluginHost 0xcd3b:$x2: NanoCore.ClientPluginHost 0x4dce:$s4: PipeCreated 0x3d86:$s5: IClientLoggingHost 0xcd28:$s5: IClientLoggingHost
3.2.outstanding statement.exe.444346e.12.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3d70:$x2: NanoCore.ClientPlugin 0xcd12:$x2: NanoCore.ClientPlugin 0x3d99:$x3: NanoCore.ClientPluginHost 0xcd3b:$x3: NanoCore.ClientPluginHost 0x3d61:$i3: IClientNetwork 0xcd03:$i3: IClientNetwork 0x3d86:$i6: IClientLoggingHost 0xcd28:$i6: IClientLoggingHost 0x3db3:$i7: IClientNetworkHost 0xcd55:$i7: IClientNetworkHost 0x3bd4:$s1: ClientPlugin 0x3d79:$s1: ClientPlugin 0xcb7e:$s1: ClientPlugin 0xcd1b:$s1: ClientPlugin 0x4084:$s2: EndPoint 0x408d:$s3: IPAddress 0x4097:$s4: IPEndPoint
3.2.outstanding statement.exe.444346e.12.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3d99:$a1: NanoCore.ClientPluginHost 0xcd3b:$a1: NanoCore.ClientPluginHost 0x3d70:$a2: NanoCore.ClientPlugin 0xcd12:$a2: NanoCore.ClientPlugin 0x3d86:$b9: IClientLoggingHost 0xcd28:$b9: IClientLoggingHost
3.2.outstanding statement.exe.445189e.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x2840f:$x1: NanoCore.ClientPluginHost 0x3784f:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost 0x28429:$x2: IClientNetworkHost 0x3788c:$x2: IClientNetworkHost
3.2.outstanding statement.exe.445189e.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x2840f:$x2: NanoCore.ClientPluginHost 0x3784f:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x2b74c:$s4: PipeCreated 0x3aca2:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost 0x283fc:$s5: IClientLoggingHost 0x37879:$s5: IClientLoggingHost
3.2.outstanding statement.exe.445189e.10.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x34e2:$x2: NanoCore.ClientPlugin 0x283e6:$x2: NanoCore.ClientPlugin 0x3782a:$x2: NanoCore.ClientPlugin 0x350b:$x3: NanoCore.ClientPluginHost 0x2840f:$x3: NanoCore.ClientPluginHost 0x3784f:$x3: NanoCore.ClientPluginHost 0x34d3:$i3: IClientNetwork 0x283d7:$i3: IClientNetwork 0x3781b:$i3: IClientNetwork 0x37840:$i4: IClientAppHost 0x37869:$i5: IClientDataHost 0x34f8:$i6: IClientLoggingHost 0x283fc:$i6: IClientLoggingHost 0x37879:$i6: IClientLoggingHost 0x3525:$i7: IClientNetworkHost 0x28429:$i7: IClientNetworkHost 0x3788c:$i7: IClientNetworkHost 0x2843c:$i8: IClientUIHost 0x3789f:$i8: IClientUIHost 0x378ad:$i9: IClientNameObjectCollection 0x334e:$s1: ClientPlugin
3.2.outstanding statement.exe.445189e.10.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x350b:$a1: NanoCore.ClientPluginHost 0x2840f:$a1: NanoCore.ClientPluginHost 0x3784f:$a1: NanoCore.ClientPluginHost 0x34e2:$a2: NanoCore.ClientPlugin 0x283e6:$a2: NanoCore.ClientPlugin 0x3782a:$a2: NanoCore.ClientPlugin 0x37840:$b4: IClientAppHost 0x5854:$b7: LogClientException 0x2d43a:$b7: LogClientException 0x3bd2f:$b7: LogClientException 0x34f8:$b9: IClientLoggingHost 0x283fc:$b9: IClientLoggingHost 0x37879:$b9: IClientLoggingHost
3.2.outstanding statement.exe.443a63f.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0xe9c8:$x1: NanoCore.ClientPluginHost 0x1a76a:$x1: NanoCore.ClientPluginHost 0x3f66e:$x1: NanoCore.ClientPluginHost 0x4eaae:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost 0xe9e2:$x2: IClientNetworkHost 0x1a784:$x2: IClientNetworkHost 0x3f688:$x2: IClientNetworkHost 0x4eaeb:$x2: IClientNetworkHost
3.2.outstanding statement.exe.443a63f.11.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0xe9c8:$x2: NanoCore.ClientPluginHost 0x1a76a:$x2: NanoCore.ClientPluginHost 0x3f66e:$x2: NanoCore.ClientPluginHost 0x4eaae:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0xf9fd:$s4: PipeCreated 0x1c515:$s4: PipeCreated 0x429ab:$s4: PipeCreated 0x51f01:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost 0xe9b5:$s5: IClientLoggingHost 0x1a757:$s5: IClientLoggingHost 0x3f65b:$s5: IClientLoggingHost 0x4ead8:$s5: IClientLoggingHost
3.2.outstanding statement.exe.443a63f.11.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3a8b:$x2: NanoCore.ClientPlugin 0xe99f:$x2: NanoCore.ClientPlugin 0x1a741:$x2: NanoCore.ClientPlugin 0x3f645:$x2: NanoCore.ClientPlugin 0x4ea89:$x2: NanoCore.ClientPlugin 0x39eb:$x3: NanoCore.ClientPluginHost 0xe9c8:$x3: NanoCore.ClientPluginHost 0x1a76a:$x3: NanoCore.ClientPluginHost 0x3f66e:$x3: NanoCore.ClientPluginHost 0x4eaae:$x3: NanoCore.ClientPluginHost 0x3aa1:$i3: IClientNetwork 0xe990:$i3: IClientNetwork 0x1a732:$i3: IClientNetwork 0x3f636:$i3: IClientNetwork 0x4ea7a:$i3: IClientNetwork 0x4ea9f:$i4: IClientAppHost 0x3a43:$i5: IClientDataHost 0x4eac8:$i5: IClientDataHost 0x3a05:$i6: IClientLoggingHost 0xe9b5:$i6: IClientLoggingHost 0x1a757:$i6: IClientLoggingHost
3.2.outstanding statement.exe.443a63f.11.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x36cb:$a: NanoCore 0x372c:$a: NanoCore 0x376f:$a: NanoCore 0x37af:$a: NanoCore 0x39eb:$a: NanoCore 0x3a8b:$a: NanoCore 0x4263:$a: NanoCore 0x4856:$a: NanoCore 0x49a7:$a: NanoCore 0x5801:$a: NanoCore 0x5a68:$a: NanoCore 0x5a7d:$a: NanoCore 0x5a9c:$a: NanoCore 0xe99f:$a: NanoCore 0xe9c8:$a: NanoCore 0x1a741:$a: NanoCore 0x1a76a:$a: NanoCore 0x3f62d:$a: NanoCore 0x3f645:$a: NanoCore 0x3f66e:$a: NanoCore 0x4ea71:$a: NanoCore
3.2.outstanding statement.exe.443a63f.11.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x39eb:$a1: NanoCore.ClientPluginHost 0xe9c8:$a1: NanoCore.ClientPluginHost 0x1a76a:$a1: NanoCore.ClientPluginHost 0x3f66e:$a1: NanoCore.ClientPluginHost 0x4eaae:$a1: NanoCore.ClientPluginHost 0x3a8b:$a2: NanoCore.ClientPlugin 0xe99f:$a2: NanoCore.ClientPlugin 0x1a741:$a2: NanoCore.ClientPlugin 0x3f645:$a2: NanoCore.ClientPlugin 0x4ea89:$a2: NanoCore.ClientPlugin 0x4ea9f:$b4: IClientAppHost 0x47e1:$b7: LogClientException 0x1cab3:$b7: LogClientException 0x44699:$b7: LogClientException 0x52f8e:$b7: LogClientException 0x3a05:$b9: IClientLoggingHost 0xe9b5:$b9: IClientLoggingHost 0x1a757:$b9: IClientLoggingHost 0x3f65b:$b9: IClientLoggingHost 0x4ead8:$b9: IClientLoggingHost
3.2.outstanding statement.exe.444346e.12.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x1193b:$x1: NanoCore.ClientPluginHost 0x3683f:$x1: NanoCore.ClientPluginHost 0x45c7f:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost 0x11955:$x2: IClientNetworkHost 0x36859:$x2: IClientNetworkHost 0x45cbc:$x2: IClientNetworkHost
3.2.outstanding statement.exe.444346e.12.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x1193b:$x2: NanoCore.ClientPluginHost 0x3683f:$x2: NanoCore.ClientPluginHost 0x45c7f:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x136e6:$s4: PipeCreated 0x39b7c:$s4: PipeCreated 0x490d2:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost 0x11928:$s5: IClientLoggingHost 0x3682c:$s5: IClientLoggingHost 0x45ca9:$s5: IClientLoggingHost
3.2.outstanding statement.exe.444346e.12.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b70:$x2: NanoCore.ClientPlugin 0x11912:$x2: NanoCore.ClientPlugin 0x36816:$x2: NanoCore.ClientPlugin 0x45c5a:$x2: NanoCore.ClientPlugin 0x5b99:$x3: NanoCore.ClientPluginHost 0x1193b:$x3: NanoCore.ClientPluginHost 0x3683f:$x3: NanoCore.ClientPluginHost 0x45c7f:$x3: NanoCore.ClientPluginHost 0x5b61:$i3: IClientNetwork 0x11903:$i3: IClientNetwork 0x36807:$i3: IClientNetwork 0x45c4b:$i3: IClientNetwork 0x45c70:$i4: IClientAppHost 0x45c99:$i5: IClientDataHost 0x5b86:$i6: IClientLoggingHost 0x11928:$i6: IClientLoggingHost 0x3682c:$i6: IClientLoggingHost 0x45ca9:$i6: IClientLoggingHost 0x5bb3:$i7: IClientNetworkHost 0x11955:$i7: IClientNetworkHost 0x36859:$i7: IClientNetworkHost
3.2.outstanding statement.exe.444346e.12.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b99:$a1: NanoCore.ClientPluginHost 0x1193b:$a1: NanoCore.ClientPluginHost 0x3683f:$a1: NanoCore.ClientPluginHost 0x45c7f:$a1: NanoCore.ClientPluginHost 0x5b70:$a2: NanoCore.ClientPlugin 0x11912:$a2: NanoCore.ClientPlugin 0x36816:$a2: NanoCore.ClientPlugin 0x45c5a:$a2: NanoCore.ClientPlugin 0x45c70:$b4: IClientAppHost 0x13c84:$b7: LogClientException 0x3b86a:$b7: LogClientException 0x4a15f:$b7: LogClientException 0x5b86:$b9: IClientLoggingHost 0x11928:$b9: IClientLoggingHost 0x3682c:$b9: IClientLoggingHost 0x45ca9:$b9: IClientLoggingHost
3.2.outstanding statement.exe.317d75c.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x16409:$x1: NanoCore.ClientPluginHost 0x235b7:$x1: NanoCore.ClientPluginHost 0x2d44b:$x1: NanoCore.ClientPluginHost 0x353b5:$x1: NanoCore.ClientPluginHost 0x3b3cc:$x1: NanoCore.ClientPluginHost 0x44e7b:$x1: NanoCore.ClientPluginHost 0x4f2eb:$x1: NanoCore.ClientPluginHost 0x5a311:$x1: NanoCore.ClientPluginHost 0x660fb:$x1: NanoCore.ClientPluginHost 0x71eba:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x16436:$x2: IClientNetworkHost 0x235f0:$x2: IClientNetworkHost 0x2d484:$x2: IClientNetworkHost 0x353ee:$x2: IClientNetworkHost 0x44fd8:$x2: IClientNetworkHost 0x4f324:$x2: IClientNetworkHost 0x5a32b:$x2: IClientNetworkHost 0x66115:$x2: IClientNetworkHost 0x71ef7:$x2: IClientNetworkHost
3.2.outstanding statement.exe.317d75c.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x163e3:$x2: NanoCore.ClientPlugin 0x23633:$x2: NanoCore.ClientPlugin 0x2d4c7:$x2: NanoCore.ClientPlugin 0x3542f:$x2: NanoCore.ClientPlugin 0x3b416:$x2: NanoCore.ClientPlugin 0x44f65:$x2: NanoCore.ClientPlugin 0x4f38b:$x2: NanoCore.ClientPlugin 0x5a2e8:$x2: NanoCore.ClientPlugin 0x660d2:$x2: NanoCore.ClientPlugin 0x71e95:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x16409:$x3: NanoCore.ClientPluginHost 0x235b7:$x3: NanoCore.ClientPluginHost 0x2d44b:$x3: NanoCore.ClientPluginHost 0x353b5:$x3: NanoCore.ClientPluginHost 0x3b3cc:$x3: NanoCore.ClientPluginHost 0x44e7b:$x3: NanoCore.ClientPluginHost 0x4f2eb:$x3: NanoCore.ClientPluginHost 0x5a311:$x3: NanoCore.ClientPluginHost 0x660fb:$x3: NanoCore.ClientPluginHost
3.2.outstanding statement.exe.317d75c.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x163e3:$a: NanoCore 0x16409:$a: NanoCore 0x16465:$a: NanoCore 0x232ff:$a: NanoCore 0x23358:$a: NanoCore 0x2338b:$a: NanoCore 0x235b7:$a: NanoCore 0x23633:$a: NanoCore 0x23c4c:$a: NanoCore 0x23d95:$a: NanoCore 0x24269:$a: NanoCore 0x24550:$a: NanoCore 0x24567:$a: NanoCore 0x2d44b:$a: NanoCore 0x2d4c7:$a: NanoCore 0x2fdaa:$a: NanoCore 0x353b5:$a: NanoCore 0x3542f:$a: NanoCore
3.2.outstanding statement.exe.317d75c.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x16409:$a1: NanoCore.ClientPluginHost 0x235b7:$a1: NanoCore.ClientPluginHost 0x2d44b:$a1: NanoCore.ClientPluginHost 0x353b5:$a1: NanoCore.ClientPluginHost 0x3b3cc:$a1: NanoCore.ClientPluginHost 0x44e7b:$a1: NanoCore.ClientPluginHost 0x4f2eb:$a1: NanoCore.ClientPluginHost 0x5a311:$a1: NanoCore.ClientPluginHost 0x660fb:$a1: NanoCore.ClientPluginHost 0x71eba:$a1: NanoCore.ClientPluginHost 0x4b96:$a2: NanoCore.ClientPlugin 0x163e3:$a2: NanoCore.ClientPlugin 0x23633:$a2: NanoCore.ClientPlugin 0x2d4c7:$a2: NanoCore.ClientPlugin 0x3542f:$a2: NanoCore.ClientPlugin 0x3b416:$a2: NanoCore.ClientPlugin 0x44f65:$a2: NanoCore.ClientPlugin 0x4f38b:$a2: NanoCore.ClientPlugin 0x5a2e8:$a2: NanoCore.ClientPlugin 0x660d2:$a2: NanoCore.ClientPlugin
0.2.outstanding statement.exe.3d387b8.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.outstanding statement.exe.3d387b8.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.outstanding statement.exe.3d387b8.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x4499d:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x44b4b:$s4: IPEndPoint
0.2.outstanding statement.exe.3d387b8.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x43167:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q
0.2.outstanding statement.exe.3d387b8.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
3.2.outstanding statement.exe.314f3c8.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x32f4f:$x1: NanoCore.ClientPluginHost 0x4479d:$x1: NanoCore.ClientPluginHost 0x5194b:$x1: NanoCore.ClientPluginHost 0x5b7df:$x1: NanoCore.ClientPluginHost 0x63749:$x1: NanoCore.ClientPluginHost 0x69760:$x1: NanoCore.ClientPluginHost 0x7320f:$x1: NanoCore.ClientPluginHost 0x7d67f:$x1: NanoCore.ClientPluginHost 0x886a5:$x1: NanoCore.ClientPluginHost 0x9448f:$x1: NanoCore.ClientPluginHost 0xa024e:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x32f79:$x2: IClientNetworkHost 0x447ca:$x2: IClientNetworkHost 0x51984:$x2: IClientNetworkHost 0x5b818:$x2: IClientNetworkHost 0x63782:$x2: IClientNetworkHost 0x7336c:$x2: IClientNetworkHost 0x7d6b8:$x2: IClientNetworkHost 0x886bf:$x2: IClientNetworkHost
3.2.outstanding statement.exe.314f3c8.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x32f2a:$x2: NanoCore.ClientPlugin 0x44777:$x2: NanoCore.ClientPlugin 0x519c7:$x2: NanoCore.ClientPlugin 0x5b85b:$x2: NanoCore.ClientPlugin 0x637c3:$x2: NanoCore.ClientPlugin 0x697aa:$x2: NanoCore.ClientPlugin 0x732f9:$x2: NanoCore.ClientPlugin 0x7d71f:$x2: NanoCore.ClientPlugin 0x8867c:$x2: NanoCore.ClientPlugin 0x94466:$x2: NanoCore.ClientPlugin 0xa0229:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x32f4f:$x3: NanoCore.ClientPluginHost 0x4479d:$x3: NanoCore.ClientPluginHost 0x5194b:$x3: NanoCore.ClientPluginHost 0x5b7df:$x3: NanoCore.ClientPluginHost 0x63749:$x3: NanoCore.ClientPluginHost 0x69760:$x3: NanoCore.ClientPluginHost 0x7320f:$x3: NanoCore.ClientPluginHost 0x7d67f:$x3: NanoCore.ClientPluginHost
3.2.outstanding statement.exe.314f3c8.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x32f2a:$a: NanoCore 0x32f4f:$a: NanoCore 0x32fa8:$a: NanoCore 0x44777:$a: NanoCore 0x4479d:$a: NanoCore 0x447f9:$a: NanoCore 0x51693:$a: NanoCore 0x516ec:$a: NanoCore 0x5171f:$a: NanoCore 0x5194b:$a: NanoCore 0x519c7:$a: NanoCore 0x51fe0:$a: NanoCore 0x52129:$a: NanoCore 0x525fd:$a: NanoCore 0x528e4:$a: NanoCore 0x528fb:$a: NanoCore 0x5b7df:$a: NanoCore
3.2.outstanding statement.exe.314f3c8.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0x32f4f:$a1: NanoCore.ClientPluginHost 0x4479d:$a1: NanoCore.ClientPluginHost 0x5194b:$a1: NanoCore.ClientPluginHost 0x5b7df:$a1: NanoCore.ClientPluginHost 0x63749:$a1: NanoCore.ClientPluginHost 0x69760:$a1: NanoCore.ClientPluginHost 0x7320f:$a1: NanoCore.ClientPluginHost 0x7d67f:$a1: NanoCore.ClientPluginHost 0x886a5:$a1: NanoCore.ClientPluginHost 0x9448f:$a1: NanoCore.ClientPluginHost 0xa024e:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x32f2a:$a2: NanoCore.ClientPlugin 0x44777:$a2: NanoCore.ClientPlugin 0x519c7:$a2: NanoCore.ClientPlugin 0x5b85b:$a2: NanoCore.ClientPlugin 0x637c3:$a2: NanoCore.ClientPlugin 0x697aa:$a2: NanoCore.ClientPlugin 0x732f9:$a2: NanoCore.ClientPlugin 0x7d71f:$a2: NanoCore.ClientPlugin
3.2.outstanding statement.exe.42902a2.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.outstanding statement.exe.42902a2.9.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0xb5b3:$x2: NanoCore.ClientPlugin 0x134d9:$x2: NanoCore.ClientPlugin 0x1947c:$x2: NanoCore.ClientPlugin 0x22f8a:$x2: NanoCore.ClientPlugin 0x2d36d:$x2: NanoCore.ClientPlugin 0x38283:$x2: NanoCore.ClientPlugin 0x44027:$x2: NanoCore.ClientPlugin 0x68f2d:$x2: NanoCore.ClientPlugin 0x78373:$x2: NanoCore.ClientPlugin 0x81610:$x2: NanoCore.ClientPlugin 0x94d86:$x2: NanoCore.ClientPlugin 0xa29d0:$x2: NanoCore.ClientPlugin 0xb2beb:$x2: NanoCore.ClientPlugin 0xbfdf6:$x2: NanoCore.ClientPlugin 0xc6342:$x2: NanoCore.ClientPlugin 0xcc2e3:$x2: NanoCore.ClientPlugin 0xd5def:$x2: NanoCore.ClientPlugin 0xe01d0:$x2: NanoCore.ClientPlugin 0xeb0e4:$x2: NanoCore.ClientPlugin 0xf6e86:$x2: NanoCore.ClientPlugin
3.2.outstanding statement.exe.42902a2.9.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0xb537:$a: NanoCore 0xb5b3:$a: NanoCore 0xde96:$a: NanoCore 0x1345f:$a: NanoCore 0x134d9:$a: NanoCore 0x18076:$a: NanoCore 0x19432:$a: NanoCore 0x1947c:$a: NanoCore 0x1a0d6:$a: NanoCore 0x22ea0:$a: NanoCore 0x22f8a:$a: NanoCore
3.2.outstanding statement.exe.42902a2.9.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x16e3:$a1: NanoCore.ClientPluginHost 0xb537:$a1: NanoCore.ClientPluginHost 0x1345f:$a1: NanoCore.ClientPluginHost 0x19432:$a1: NanoCore.ClientPluginHost 0x22ea0:$a1: NanoCore.ClientPluginHost 0x2d2cd:$a1: NanoCore.ClientPluginHost 0x382ac:$a1: NanoCore.ClientPluginHost 0x44050:$a1: NanoCore.ClientPluginHost 0x68f56:$a1: NanoCore.ClientPluginHost 0x78398:$a1: NanoCore.ClientPluginHost 0x8164d:$a1: NanoCore.ClientPluginHost 0x94dbb:$a1: NanoCore.ClientPluginHost 0xa29f5:$a1: NanoCore.ClientPluginHost 0xb2c11:$a1: NanoCore.ClientPluginHost 0xbfd7a:$a1: NanoCore.ClientPluginHost 0xc62c8:$a1: NanoCore.ClientPluginHost 0xcc299:$a1: NanoCore.ClientPluginHost 0xd5d05:$a1: NanoCore.ClientPluginHost 0xe0130:$a1: NanoCore.ClientPluginHost 0xeb10d:$a1: NanoCore.ClientPluginHost 0xf6eaf:$a1: NanoCore.ClientPluginHost
3.2.outstanding statement.exe.427bc75.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.outstanding statement.exe.426fa41.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.outstanding statement.exe.3c19a40.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x12ef05:$x1: NanoCore.ClientPluginHost 0x12ef42:$x2: IClientNetworkHost 0x132a75:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.2.outstanding statement.exe.427bc75.8.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x15d8c:$x2: NanoCore.ClientPlugin 0x1fbe0:$x2: NanoCore.ClientPlugin 0x27b06:$x2: NanoCore.ClientPlugin 0x2daa9:$x2: NanoCore.ClientPlugin 0x375b7:$x2: NanoCore.ClientPlugin 0x4199a:$x2: NanoCore.ClientPlugin 0x4c8b0:$x2: NanoCore.ClientPlugin 0x58654:$x2: NanoCore.ClientPlugin 0x7d55a:$x2: NanoCore.ClientPlugin 0x8c9a0:$x2: NanoCore.ClientPlugin 0x95c3d:$x2: NanoCore.ClientPlugin 0xa93b3:$x2: NanoCore.ClientPlugin 0xb6ffd:$x2: NanoCore.ClientPlugin 0xc7218:$x2: NanoCore.ClientPlugin 0xd4423:$x2: NanoCore.ClientPlugin 0xda96f:$x2: NanoCore.ClientPlugin 0xe0910:$x2: NanoCore.ClientPlugin 0xea41c:$x2: NanoCore.ClientPlugin 0xf47fd:$x2: NanoCore.ClientPlugin 0xff711:$x2: NanoCore.ClientPlugin
3.2.outstanding statement.exe.427bc75.8.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a58:$a: NanoCore 0x15ab1:$a: NanoCore 0x15ae4:$a: NanoCore 0x15d10:$a: NanoCore 0x15d8c:$a: NanoCore 0x163a5:$a: NanoCore 0x164ee:$a: NanoCore 0x169c2:$a: NanoCore 0x16ca9:$a: NanoCore 0x16cc0:$a: NanoCore 0x1fb64:$a: NanoCore 0x1fbe0:$a: NanoCore 0x224c3:$a: NanoCore 0x27a8c:$a: NanoCore 0x27b06:$a: NanoCore 0x2c6a3:$a: NanoCore 0x2da5f:$a: NanoCore 0x2daa9:$a: NanoCore
3.2.outstanding statement.exe.427bc75.8.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x15d10:$a1: NanoCore.ClientPluginHost 0x1fb64:$a1: NanoCore.ClientPluginHost 0x27a8c:$a1: NanoCore.ClientPluginHost 0x2da5f:$a1: NanoCore.ClientPluginHost 0x374cd:$a1: NanoCore.ClientPluginHost 0x418fa:$a1: NanoCore.ClientPluginHost 0x4c8d9:$a1: NanoCore.ClientPluginHost 0x5867d:$a1: NanoCore.ClientPluginHost 0x7d583:$a1: NanoCore.ClientPluginHost 0x8c9c5:$a1: NanoCore.ClientPluginHost 0x95c7a:$a1: NanoCore.ClientPluginHost 0xa93e8:$a1: NanoCore.ClientPluginHost 0xb7022:$a1: NanoCore.ClientPluginHost 0xc723e:$a1: NanoCore.ClientPluginHost 0xd43a7:$a1: NanoCore.ClientPluginHost 0xda8f5:$a1: NanoCore.ClientPluginHost 0xe08c6:$a1: NanoCore.ClientPluginHost 0xea332:$a1: NanoCore.ClientPluginHost 0xf475d:$a1: NanoCore.ClientPluginHost 0xff73a:$a1: NanoCore.ClientPluginHost
3.2.outstanding statement.exe.426fa41.7.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x14db3:$x2: NanoCore.ClientPlugin 0x21fc0:$x2: NanoCore.ClientPlugin 0x2be14:$x2: NanoCore.ClientPlugin 0x33d3a:$x2: NanoCore.ClientPlugin 0x39cdd:$x2: NanoCore.ClientPlugin 0x437eb:$x2: NanoCore.ClientPlugin 0x4dbce:$x2: NanoCore.ClientPlugin 0x58ae4:$x2: NanoCore.ClientPlugin 0x64888:$x2: NanoCore.ClientPlugin 0x8978e:$x2: NanoCore.ClientPlugin 0x98bd4:$x2: NanoCore.ClientPlugin 0xa1e71:$x2: NanoCore.ClientPlugin 0xb55e7:$x2: NanoCore.ClientPlugin 0xc3231:$x2: NanoCore.ClientPlugin 0xd344c:$x2: NanoCore.ClientPlugin 0xe0657:$x2: NanoCore.ClientPlugin 0xe6ba3:$x2: NanoCore.ClientPlugin 0xecb44:$x2: NanoCore.ClientPlugin 0xf6650:$x2: NanoCore.ClientPlugin 0x100a31:$x2: NanoCore.ClientPlugin
3.2.outstanding statement.exe.426fa41.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14db3:$a: NanoCore 0x14dd9:$a: NanoCore 0x14e35:$a: NanoCore 0x21c8c:$a: NanoCore 0x21ce5:$a: NanoCore 0x21d18:$a: NanoCore 0x21f44:$a: NanoCore 0x21fc0:$a: NanoCore 0x225d9:$a: NanoCore 0x22722:$a: NanoCore 0x22bf6:$a: NanoCore 0x22edd:$a: NanoCore 0x22ef4:$a: NanoCore 0x2bd98:$a: NanoCore 0x2be14:$a: NanoCore 0x2e6f7:$a: NanoCore 0x33cc0:$a: NanoCore 0x33d3a:$a: NanoCore
3.2.outstanding statement.exe.426fa41.7.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x14dd9:$a1: NanoCore.ClientPluginHost 0x21f44:$a1: NanoCore.ClientPluginHost 0x2bd98:$a1: NanoCore.ClientPluginHost 0x33cc0:$a1: NanoCore.ClientPluginHost 0x39c93:$a1: NanoCore.ClientPluginHost 0x43701:$a1: NanoCore.ClientPluginHost 0x4db2e:$a1: NanoCore.ClientPluginHost 0x58b0d:$a1: NanoCore.ClientPluginHost 0x648b1:$a1: NanoCore.ClientPluginHost 0x897b7:$a1: NanoCore.ClientPluginHost 0x98bf9:$a1: NanoCore.ClientPluginHost 0xa1eae:$a1: NanoCore.ClientPluginHost 0xb561c:$a1: NanoCore.ClientPluginHost 0xc3256:$a1: NanoCore.ClientPluginHost 0xd3472:$a1: NanoCore.ClientPluginHost 0xe05db:$a1: NanoCore.ClientPluginHost 0xe6b29:$a1: NanoCore.ClientPluginHost 0xecafa:$a1: NanoCore.ClientPluginHost 0xf6566:$a1: NanoCore.ClientPluginHost 0x100991:$a1: NanoCore.ClientPluginHost
0.2.outstanding statement.exe.3c19a40.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.outstanding statement.exe.3c19a40.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x12ec6d:$x1: NanoCore Client 0x12ec7d:$x1: NanoCore Client 0x12eec5:$x2: NanoCore.ClientPlugin 0x12ef05:$x3: NanoCore.ClientPluginHost 0x12eeba:$i1: IClientApp 0x12eedb:$i2: IClientData 0x12eee7:$i3: IClientNetwork 0x12eef6:$i4: IClientAppHost 0x12ef1f:$i5: IClientDataHost 0x12ef2f:$i6: IClientLoggingHost 0x12ef42:$i7: IClientNetworkHost 0x12ef55:$i8: IClientUIHost 0x12ef63:$i9: IClientNameObjectCollection 0x12ef7f:$i10: IClientReadOnlyNameObjectCollection 0x12eccc:$s1: ClientPlugin 0x12eece:$s1: ClientPlugin 0x12f3c2:$s2: EndPoint 0x12f3cb:$s3: IPAddress 0x163715:$s3: IPAddress 0x12f3d5:$s4: IPEndPoint 0x1638c3:$s4: IPEndPoint
0.2.outstanding statement.exe.3c19a40.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x12ec6d:$a: NanoCore 0x12ec7d:$a: NanoCore 0x12eeb1:$a: NanoCore 0x12eec5:$a: NanoCore 0x12ef05:$a: NanoCore 0x12eccc:$b: ClientPlugin 0x12eece:$b: ClientPlugin 0x12ef0e:$b: ClientPlugin 0x82147:$c: ProjectData 0x12edf3:$c: ProjectData 0x161edf:$c: ProjectData 0x12f7fa:$d: DESCrypto 0x1371c6:$e: KeepAlive 0x1351b4:$g: LogClientMessage 0x1313af:$i: get_Connected 0x12fb30:$j: #=q 0x12fb60:$j: #=q 0x12fb7c:$j: #=q 0x12fbac:$j: #=q 0x12fbc8:$j: #=q 0x12fbe4:$j: #=q
0.2.outstanding statement.exe.3c19a40.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x12ef05:$a1: NanoCore.ClientPluginHost 0x12eec5:$a2: NanoCore.ClientPlugin 0x130e1e:$b1: get_BuilderSettings 0x12ed21:$b2: ClientLoaderForm.resources 0x13053e:$b3: PluginCommand 0x12eef6:$b4: IClientAppHost 0x139376:$b5: GetBlockHash 0x131476:$b6: AddHostEntry 0x135169:$b7: LogClientException 0x1313e3:$b8: PipeExists 0x12ef2f:$b9: IClientLoggingHost
Click to see the 242 entries

Sigma Signatures

AV Detection

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\outstanding statement.exe, ProcessId: 5468, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud

Sigma detected: NanoCore

Source: File created

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OIdzpXTWJYUnz" /XML "C:\Users\user\AppData\Local\Temp\tmp949C.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OIdzpXTWJYUnz" /XML "C:\Users\user\AppData\Local\Temp\tmp949C.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\outstanding statement.exe" , ParentImage: C:\Users\user\Desktop\outstanding statement.exe, ParentProcessId: 5916, ParentProcessName: outstanding statement.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OIdzpXTWJYUnz" /XML "C:\Users\user\AppData\Local\Temp\tmp949C.tmp, ProcessId: 5316, ProcessName: schtasks.exe

Stealing of Sensitive Information

Sigma detected: NanoCore

Source: File created

Remote Access Functionality

Sigma detected: NanoCore

Source: File created

Snort Signatures

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.6 - Destination IP: 185.216.71.194

Timestamp:	192.168.2.6185.216.71.1944972010102816766 09/27/22-04:38:51.977418
SID:	2816766
Source Port:	49720
Destination Port:	1010
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 185.216.71.194 - Destination IP: 192.168.2.6

Timestamp:	185.216.71.194192.168.2.61010497442841753 09/27/22-04:40:41.029927
SID:	2841753
Source Port:	1010
Destination Port:	49744
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.6 - Destination IP: 185.216.71.194

Timestamp:	192.168.2.6185.216.71.1944972510102816766 09/27/22-04:39:42.842313
SID:	2816766
Source Port:	49725
Destination Port:	1010
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.6 - Destination IP: 185.216.71.194

Timestamp:	192.168.2.6185.216.71.1944972310102816766 09/27/22-04:39:17.707266
SID:	2816766
Source Port:	49723
Destination Port:	1010
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.6 - Destination IP: 185.216.71.194

Timestamp:	192.168.2.6185.216.71.1944972710102816766 09/27/22-04:39:59.267095
SID:	2816766
Source Port:	49727
Destination Port:	1010
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 185.216.71.194 - Destination IP: 192.168.2.6

Timestamp:	185.216.71.194192.168.2.61010497382841753 09/27/22-04:40:20.888739
SID:	2841753
Source Port:	1010
Destination Port:	49738
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.6 - Destination IP: 185.216.71.194

Timestamp:	192.168.2.6185.216.71.1944973410102816766 09/27/22-04:40:15.599094
SID:	2816766
Source Port:	49734
Destination Port:	1010
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.6 - Destination IP: 185.216.71.194

Timestamp:	192.168.2.6185.216.71.1944972610102816766 09/27/22-04:39:50.710998
SID:	2816766
Source Port:	49726
Destination Port:	1010
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.6 - Destination IP: 185.216.71.194

Timestamp:	192.168.2.6185.216.71.1944972210102816766 09/27/22-04:39:10.006149
SID:	2816766
Source Port:	49722
Destination Port:	1010
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.6 - Destination IP: 185.216.71.194

Timestamp:	192.168.2.6185.216.71.1944972410102816766 09/27/22-04:39:26.449893
SID:	2816766
Source Port:	49724
Destination Port:	1010
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon - Source IP: 192.168.2.6 - Destination IP: 185.216.71.194

Timestamp:	192.168.2.6185.216.71.1944972410102816718 09/27/22-04:39:26.449893
SID:	2816718
Source Port:	49724
Destination Port:	1010
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.6 - Destination IP: 185.216.71.194

Timestamp:	192.168.2.6185.216.71.1944972110102816766 09/27/22-04:39:02.212727
SID:	2816766
Source Port:	49721
Destination Port:	1010
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.6 - Destination IP: 185.216.71.194

Timestamp:	192.168.2.6185.216.71.1944973010102816766 09/27/22-04:40:04.752952
SID:	2816766
Source Port:	49730
Destination Port:	1010
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.6 - Destination IP: 185.216.71.194

Timestamp:	192.168.2.6185.216.71.1944973810102816766 09/27/22-04:40:20.889307
SID:	2816766
Source Port:	49738
Destination Port:	1010
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.6 - Destination IP: 185.216.71.194

Timestamp:	192.168.2.6185.216.71.1944974410102816766 09/27/22-04:40:27.214840
SID:	2816766
Source Port:	49744
Destination Port:	1010
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: outstanding statement.exe	ReversingLabs: Detection: 80%
Source: outstanding statement.exe	Virustotal: Detection: 36%	Perma Link
Source: outstanding statement.exe	Metadefender: Detection: 36%	Perma Link

Multi AV Scanner detection for domain / URL

Source: dera5nano.ddns.net

Virustotal: Detection: 13%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 80%
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Metadefender: Detection: 36%	Perma Link
Source: C:\Users\user\AppData\Roaming\OIdzpXTWJYUnz.exe	ReversingLabs: Detection: 80%
Source: C:\Users\user\AppData\Roaming\OIdzpXTWJYUnz.exe	Metadefender: Detection: 36%	Perma Link

Yara detected Nanocore RAT

Source: Yara match	File source: 0.2.outstanding statement.exe.3d387b8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.outstanding statement.exe.4150614.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.outstanding statement.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.outstanding statement.exe.5a50000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.outstanding statement.exe.4150614.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.outstanding statement.exe.414b7de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.outstanding statement.exe.4154c3d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.outstanding statement.exe.5a50000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.outstanding statement.exe.5a54629.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.outstanding statement.exe.3d387b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.outstanding statement.exe.42902a2.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.outstanding statement.exe.427bc75.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.outstanding statement.exe.426fa41.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.outstanding statement.exe.3c19a40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.290409484.0000000003B17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.271120372.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.426017926.0000000004109000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.443941283.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.548985482.0000000005A50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.420196088.0000000003101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: outstanding statement.exe PID: 5916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: outstanding statement.exe PID: 5468, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: outstanding statement.exe PID: 1276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 4008, type: MEMORYSTR

Machine Learning detection for sample

Source: outstanding statement.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\OIdzpXTWJYUnz.exe	Joe Sandbox ML: detected

Source: 3.0.outstanding statement.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.2.outstanding statement.exe.5a50000.16.unpack	Avira: Label: TR/NanoCore.fadte

Source: outstanding statement.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: outstanding statement.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: outstanding statement.exe, 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000003.00000002.530140440.0000000003149000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000003.00000002.552699108.0000000007390000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: outstanding statement.exe, 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000003.00000002.530140440.0000000003149000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000003.00000002.552899559.00000000073B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: outstanding statement.exe, 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000003.00000002.530140440.0000000003149000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000003.00000002.553109432.00000000073D0000.00000004.08000000.00040000.00000000.sdmp, outstanding statement.exe, 00000003.00000002.544886157.00000000043DE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: outstanding statement.exe, 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000003.00000002.552462673.0000000007230000.00000004.08000000.00040000.00000000.sdmp, outstanding statement.exe, 00000003.00000002.530140440.0000000003149000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: outstanding statement.exe, 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000003.00000002.552972970.00000000073C0000.00000004.08000000.00040000.00000000.sdmp, outstanding statement.exe, 00000003.00000002.530140440.0000000003149000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000003.00000002.544886157.00000000043DE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: outstanding statement.exe, 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000003.00000002.552823390.00000000073A0000.00000004.08000000.00040000.00000000.sdmp, outstanding statement.exe, 00000003.00000002.530140440.0000000003149000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\outstanding statement.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h
Source: C:\Users\user\Desktop\outstanding statement.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h
Source: C:\Users\user\Desktop\outstanding statement.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.6:49720 -> 185.216.71.194:1010
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.6:49721 -> 185.216.71.194:1010
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.6:49722 -> 185.216.71.194:1010
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.6:49723 -> 185.216.71.194:1010
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.6:49724 -> 185.216.71.194:1010
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.6:49724 -> 185.216.71.194:1010
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.6:49725 -> 185.216.71.194:1010
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.6:49726 -> 185.216.71.194:1010
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.6:49727 -> 185.216.71.194:1010
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.6:49730 -> 185.216.71.194:1010
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.6:49734 -> 185.216.71.194:1010
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 185.216.71.194:1010 -> 192.168.2.6:49738
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.6:49738 -> 185.216.71.194:1010
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.6:49744 -> 185.216.71.194:1010
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 185.216.71.194:1010 -> 192.168.2.6:49744

Uses dynamic DNS services

Source: unknown

DNS query: name: dera5nano.ddns.net

Source: Joe Sandbox View

ASN Name: CLOUDCOMPUTINGDE CLOUDCOMPUTINGDE

Source: global traffic

TCP traffic: 192.168.2.6:49720 -> 185.216.71.194:1010

Source: outstanding statement.exe, 00000000.00000003.251131135.0000000005980000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://en.w
Source: outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: outstanding statement.exe, 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000003.00000002.552972970.00000000073C0000.00000004.08000000.00040000.00000000.sdmp, outstanding statement.exe, 00000003.00000002.530140440.0000000003149000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000003.00000002.544886157.00000000043DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://google.com
Source: outstanding statement.exe, 00000000.00000002.284266217.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000003.00000002.530140440.0000000003149000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000010.00000002.370377892.000000000268D000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000011.00000002.379481668.0000000002511000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000015.00000002.421885929.000000000263D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000000.00000003.250798345.0000000005983000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: outstanding statement.exe, 00000000.00000002.283923620.0000000000E77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com2F
Source: outstanding statement.exe, 00000000.00000002.283923620.0000000000E77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comB.TTFqFV
Source: outstanding statement.exe, 00000000.00000002.283923620.0000000000E77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.como
Source: outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000000.00000003.245987301.0000000005983000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: outstanding statement.exe, 00000000.00000003.245987301.0000000005983000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.comic~
Source: outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000000.00000003.248775625.0000000005983000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000000.00000003.249051684.0000000005983000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000000.00000003.249356882.000000000596B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: outstanding statement.exe, 00000000.00000003.250157695.0000000005983000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000000.00000003.250061609.0000000005983000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000000.00000003.249824948.0000000005983000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000000.00000003.250228496.0000000005983000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000000.00000003.250441527.0000000005983000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000000.00000003.249574322.0000000005981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/in
Source: outstanding statement.exe, 00000000.00000003.248362376.0000000005966000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnd
Source: outstanding statement.exe, 00000000.00000003.249051684.0000000005983000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnlQ
Source: outstanding statement.exe, 00000000.00000003.248775625.0000000005983000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000000.00000003.249051684.0000000005983000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000000.00000003.249238521.0000000005984000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnrin
Source: outstanding statement.exe, 00000000.00000003.248304884.0000000005969000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cns-m
Source: outstanding statement.exe, 00000000.00000003.248304884.0000000005969000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnus
Source: outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000000.00000003.246447193.0000000005981000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000000.00000003.246469625.0000000005982000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown

DNS traffic detected: queries for: dera5nano.ddns.net

Source: outstanding statement.exe, 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 0.2.outstanding statement.exe.3d387b8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.outstanding statement.exe.4150614.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.outstanding statement.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.outstanding statement.exe.5a50000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.outstanding statement.exe.4150614.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.outstanding statement.exe.414b7de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.outstanding statement.exe.4154c3d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.outstanding statement.exe.5a50000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.outstanding statement.exe.5a54629.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.outstanding statement.exe.3d387b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.outstanding statement.exe.42902a2.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.outstanding statement.exe.427bc75.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.outstanding statement.exe.426fa41.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.outstanding statement.exe.3c19a40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.290409484.0000000003B17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.271120372.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.426017926.0000000004109000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.443941283.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.548985482.0000000005A50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.420196088.0000000003101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: outstanding statement.exe PID: 5916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: outstanding statement.exe PID: 5468, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: outstanding statement.exe PID: 1276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 4008, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.outstanding statement.exe.40fe5cf.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.40fe5cf.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.40fe5cf.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.756e8a4.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.756e8a4.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.756e8a4.28.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.7590000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.7590000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.7590000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.7520000.25.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.7520000.25.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.7520000.25.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.outstanding statement.exe.3d387b8.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.outstanding statement.exe.3d387b8.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.outstanding statement.exe.3d387b8.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.outstanding statement.exe.3d387b8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 29.2.outstanding statement.exe.4150614.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 29.2.outstanding statement.exe.4150614.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 29.2.outstanding statement.exe.4150614.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.7520000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.7520000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.7520000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.7540000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.7540000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.7540000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.73a0000.21.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.73a0000.21.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.73a0000.21.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.5a40000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.5a40000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.5a40000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.7590000.30.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.7590000.30.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.7590000.30.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.6aa0000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.6aa0000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.6aa0000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.73d0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.73d0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.73d0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.7230000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.7230000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.7230000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.73c0000.23.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.73c0000.23.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.73c0000.23.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.0.outstanding statement.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.outstanding statement.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.0.outstanding statement.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.outstanding statement.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.5a50000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.5a50000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.5a50000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.427bc75.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.427bc75.8.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.427bc75.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 32.2.dhcpmon.exe.2ed965c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 32.2.dhcpmon.exe.2ed965c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 32.2.dhcpmon.exe.2ed965c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 29.2.outstanding statement.exe.4150614.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 29.2.outstanding statement.exe.4150614.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 29.2.outstanding statement.exe.4150614.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.443a63f.11.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.443a63f.11.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.443a63f.11.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.73a0000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.73a0000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.73a0000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.7200000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.7200000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.7200000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.7390000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.7390000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.7390000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.426fa41.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.426fa41.7.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.426fa41.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 29.2.outstanding statement.exe.414b7de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 29.2.outstanding statement.exe.414b7de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 29.2.outstanding statement.exe.414b7de.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 29.2.outstanding statement.exe.414b7de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.7564c9f.29.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.7564c9f.29.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.7564c9f.29.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.7560000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.7560000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.7560000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 29.2.outstanding statement.exe.4154c3d.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 29.2.outstanding statement.exe.4154c3d.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 29.2.outstanding statement.exe.4154c3d.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.5a50000.16.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.5a50000.16.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.5a50000.16.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.317d75c.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.317d75c.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.317d75c.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.73d0000.24.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.73d0000.24.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.73d0000.24.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.445189e.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.445189e.10.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.445189e.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.41081d4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.41081d4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.41081d4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.7540000.26.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.7540000.26.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.7540000.26.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.7390000.20.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.7390000.20.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.7390000.20.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.7560000.27.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.7560000.27.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.7560000.27.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.6aa0000.17.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.6aa0000.17.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.6aa0000.17.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.318afc0.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.318afc0.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.318afc0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.73c0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.73c0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.73c0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.5a54629.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.5a54629.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.5a54629.15.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 29.2.outstanding statement.exe.3169678.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 29.2.outstanding statement.exe.3169678.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 29.2.outstanding statement.exe.3169678.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.73b0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.73b0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.73b0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.7200000.18.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.7200000.18.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.7200000.18.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.318afc0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.318afc0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.318afc0.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.outstanding statement.exe.318afc0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.40f9930.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.40f9930.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.40f9930.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.40f9930.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.40f9930.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.40f9930.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.444346e.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.444346e.12.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.444346e.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.445189e.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.445189e.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.445189e.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.443a63f.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.443a63f.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.443a63f.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.outstanding statement.exe.443a63f.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.444346e.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.444346e.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.444346e.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.317d75c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.317d75c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.317d75c.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.outstanding statement.exe.317d75c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.outstanding statement.exe.3d387b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.outstanding statement.exe.3d387b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.outstanding statement.exe.3d387b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.outstanding statement.exe.3d387b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.314f3c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.314f3c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.314f3c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.outstanding statement.exe.314f3c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.42902a2.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.42902a2.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.outstanding statement.exe.42902a2.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.outstanding statement.exe.3c19a40.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.outstanding statement.exe.427bc75.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.427bc75.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.outstanding statement.exe.427bc75.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.outstanding statement.exe.426fa41.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.outstanding statement.exe.426fa41.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.outstanding statement.exe.426fa41.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.outstanding statement.exe.3c19a40.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.outstanding statement.exe.3c19a40.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.outstanding statement.exe.3c19a40.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000003.303794652.0000000007101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.553210177.0000000007520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.553210177.0000000007520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.553210177.0000000007520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.552823390.00000000073A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.552823390.00000000073A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.552823390.00000000073A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.552462673.0000000007230000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.552462673.0000000007230000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.552462673.0000000007230000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.290409484.0000000003B17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.290409484.0000000003B17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.290409484.0000000003B17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.553773435.0000000007560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.553773435.0000000007560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.553773435.0000000007560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.552108671.0000000007200000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.552108671.0000000007200000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.552108671.0000000007200000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.552972970.00000000073C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.552972970.00000000073C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.552972970.00000000073C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000000.271120372.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000000.271120372.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000000.271120372.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.553109432.00000000073D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.553109432.00000000073D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.553109432.00000000073D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.552899559.00000000073B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.552899559.00000000073B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.552899559.00000000073B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.539716386.00000000040F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.552699108.0000000007390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.552699108.0000000007390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.552699108.0000000007390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.530140440.0000000003149000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.530140440.0000000003149000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000001D.00000002.426017926.0000000004109000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001D.00000002.426017926.0000000004109000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000020.00000002.443941283.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000020.00000002.443941283.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.554089363.0000000007590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.554089363.0000000007590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.554089363.0000000007590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.548985482.0000000005A50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.548985482.0000000005A50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.548985482.0000000005A50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.550294873.0000000006AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.550294873.0000000006AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.550294873.0000000006AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.548939987.0000000005A40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.548939987.0000000005A40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.548939987.0000000005A40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.544886157.00000000043DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.544886157.00000000043DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.553477471.0000000007540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.553477471.0000000007540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.553477471.0000000007540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000001D.00000002.420196088.0000000003101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001D.00000002.420196088.0000000003101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: outstanding statement.exe PID: 5916, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: outstanding statement.exe PID: 5916, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: outstanding statement.exe PID: 5916, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: outstanding statement.exe PID: 5468, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: outstanding statement.exe PID: 5468, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: outstanding statement.exe PID: 5468, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: outstanding statement.exe PID: 1276, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: outstanding statement.exe PID: 1276, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: dhcpmon.exe PID: 4008, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 4008, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown

.NET source code contains very large strings

Source: outstanding statement.exe, ShoppingCart/MainForm.cs	Long String: Length: 129663
Source: OIdzpXTWJYUnz.exe.0.dr, ShoppingCart/MainForm.cs	Long String: Length: 129663
Source: dhcpmon.exe.3.dr, ShoppingCart/MainForm.cs	Long String: Length: 129663

Source: outstanding statement.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.2.outstanding statement.exe.40fe5cf.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.40fe5cf.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.40fe5cf.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.40fe5cf.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.756e8a4.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.756e8a4.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.756e8a4.28.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.756e8a4.28.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.7590000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.7590000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.7590000.30.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.7590000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.7520000.25.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.7520000.25.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.7520000.25.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.7520000.25.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.outstanding statement.exe.3d387b8.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.outstanding statement.exe.3d387b8.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.outstanding statement.exe.3d387b8.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.outstanding statement.exe.3d387b8.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.outstanding statement.exe.3d387b8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 29.2.outstanding statement.exe.4150614.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 29.2.outstanding statement.exe.4150614.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 29.2.outstanding statement.exe.4150614.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 29.2.outstanding statement.exe.4150614.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.7520000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.7520000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.7520000.25.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.7520000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.7540000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.7540000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.7540000.26.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.7540000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.73a0000.21.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.73a0000.21.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.73a0000.21.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.73a0000.21.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.5a40000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.5a40000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.5a40000.14.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.5a40000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.7590000.30.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.7590000.30.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.7590000.30.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.7590000.30.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.6aa0000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.6aa0000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.6aa0000.17.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.6aa0000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.73d0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.73d0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.73d0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.73d0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.7230000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.7230000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.7230000.19.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.7230000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.73c0000.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.73c0000.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.73c0000.23.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.73c0000.23.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.0.outstanding statement.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.outstanding statement.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.outstanding statement.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.0.outstanding statement.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.outstanding statement.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.5a50000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.5a50000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.5a50000.16.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.5a50000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.427bc75.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.427bc75.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.427bc75.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.427bc75.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 32.2.dhcpmon.exe.2ed965c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 32.2.dhcpmon.exe.2ed965c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 32.2.dhcpmon.exe.2ed965c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 32.2.dhcpmon.exe.2ed965c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 29.2.outstanding statement.exe.4150614.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 29.2.outstanding statement.exe.4150614.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 29.2.outstanding statement.exe.4150614.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 29.2.outstanding statement.exe.4150614.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.443a63f.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.443a63f.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.443a63f.11.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.443a63f.11.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.73a0000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.73a0000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.73a0000.21.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.73a0000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.7200000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.7200000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.7200000.18.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.7200000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.7390000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.7390000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.7390000.20.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.7390000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.426fa41.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.426fa41.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.426fa41.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.426fa41.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 29.2.outstanding statement.exe.414b7de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 29.2.outstanding statement.exe.414b7de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 29.2.outstanding statement.exe.414b7de.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 29.2.outstanding statement.exe.414b7de.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 29.2.outstanding statement.exe.414b7de.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.7564c9f.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.7564c9f.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.7564c9f.29.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.7564c9f.29.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.7560000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.7560000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.7560000.27.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.7560000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 29.2.outstanding statement.exe.4154c3d.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 29.2.outstanding statement.exe.4154c3d.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 29.2.outstanding statement.exe.4154c3d.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 29.2.outstanding statement.exe.4154c3d.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.5a50000.16.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.5a50000.16.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.5a50000.16.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.5a50000.16.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.317d75c.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.317d75c.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.317d75c.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.317d75c.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.73d0000.24.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.73d0000.24.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.73d0000.24.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.73d0000.24.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.445189e.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.445189e.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.445189e.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.445189e.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.41081d4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.41081d4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.41081d4.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.41081d4.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.7540000.26.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.7540000.26.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.7540000.26.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.7540000.26.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.7390000.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.7390000.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.7390000.20.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.7390000.20.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.7560000.27.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.7560000.27.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.7560000.27.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.7560000.27.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.6aa0000.17.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.6aa0000.17.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.6aa0000.17.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.6aa0000.17.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.318afc0.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.318afc0.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.318afc0.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.318afc0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.73c0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.73c0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.73c0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.73c0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.5a54629.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.5a54629.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.5a54629.15.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.5a54629.15.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 29.2.outstanding statement.exe.3169678.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 29.2.outstanding statement.exe.3169678.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 29.2.outstanding statement.exe.3169678.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 29.2.outstanding statement.exe.3169678.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.73b0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.73b0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.73b0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.73b0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.7200000.18.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.7200000.18.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.7200000.18.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.7200000.18.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.318afc0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.318afc0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.318afc0.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.outstanding statement.exe.318afc0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.40f9930.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.40f9930.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.40f9930.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.40f9930.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.40f9930.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.40f9930.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.40f9930.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.40f9930.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.444346e.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.444346e.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.444346e.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.444346e.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.445189e.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.445189e.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.445189e.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.445189e.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.443a63f.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.443a63f.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.443a63f.11.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.443a63f.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.outstanding statement.exe.443a63f.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.444346e.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.444346e.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.444346e.12.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.444346e.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.317d75c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.317d75c.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.317d75c.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.outstanding statement.exe.317d75c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.outstanding statement.exe.3d387b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.outstanding statement.exe.3d387b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.outstanding statement.exe.3d387b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.outstanding statement.exe.3d387b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.314f3c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.314f3c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.314f3c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.outstanding statement.exe.314f3c8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.42902a2.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.42902a2.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.outstanding statement.exe.42902a2.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.outstanding statement.exe.3c19a40.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.outstanding statement.exe.427bc75.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.427bc75.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.outstanding statement.exe.427bc75.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.outstanding statement.exe.426fa41.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.outstanding statement.exe.426fa41.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.outstanding statement.exe.426fa41.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.outstanding statement.exe.3c19a40.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.outstanding statement.exe.3c19a40.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.outstanding statement.exe.3c19a40.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000003.303794652.0000000007101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.553210177.0000000007520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.553210177.0000000007520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.553210177.0000000007520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.553210177.0000000007520000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.552823390.00000000073A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.552823390.00000000073A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.552823390.00000000073A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.552823390.00000000073A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.552462673.0000000007230000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.552462673.0000000007230000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.552462673.0000000007230000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.552462673.0000000007230000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.290409484.0000000003B17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.290409484.0000000003B17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.290409484.0000000003B17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.553773435.0000000007560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.553773435.0000000007560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.553773435.0000000007560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.553773435.0000000007560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.552108671.0000000007200000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.552108671.0000000007200000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.552108671.0000000007200000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.552108671.0000000007200000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.552972970.00000000073C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.552972970.00000000073C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.552972970.00000000073C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.552972970.00000000073C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000000.271120372.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000000.271120372.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000000.271120372.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.553109432.00000000073D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.553109432.00000000073D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.553109432.00000000073D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.553109432.00000000073D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.552899559.00000000073B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.552899559.00000000073B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.552899559.00000000073B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.552899559.00000000073B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.539716386.00000000040F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.552699108.0000000007390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.552699108.0000000007390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.552699108.0000000007390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.552699108.0000000007390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.530140440.0000000003149000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.530140440.0000000003149000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000001D.00000002.426017926.0000000004109000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001D.00000002.426017926.0000000004109000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000020.00000002.443941283.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000020.00000002.443941283.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.554089363.0000000007590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.554089363.0000000007590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.554089363.0000000007590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.554089363.0000000007590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.548985482.0000000005A50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.548985482.0000000005A50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.548985482.0000000005A50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.548985482.0000000005A50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.550294873.0000000006AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.550294873.0000000006AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.550294873.0000000006AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.550294873.0000000006AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.548939987.0000000005A40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.548939987.0000000005A40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.548939987.0000000005A40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.548939987.0000000005A40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.544886157.00000000043DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.544886157.00000000043DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.553477471.0000000007540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.553477471.0000000007540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.553477471.0000000007540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.553477471.0000000007540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000001D.00000002.420196088.0000000003101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001D.00000002.420196088.0000000003101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: outstanding statement.exe PID: 5916, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: outstanding statement.exe PID: 5916, type: MEMORYSTR	Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
Source: Process Memory Space: outstanding statement.exe PID: 5916, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: outstanding statement.exe PID: 5916, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: outstanding statement.exe PID: 5468, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: outstanding statement.exe PID: 5468, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: outstanding statement.exe PID: 5468, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: outstanding statement.exe PID: 5832, type: MEMORYSTR	Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
Source: Process Memory Space: dhcpmon.exe PID: 3068, type: MEMORYSTR	Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
Source: Process Memory Space: dhcpmon.exe PID: 5728, type: MEMORYSTR	Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
Source: Process Memory Space: outstanding statement.exe PID: 1276, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: outstanding statement.exe PID: 1276, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: dhcpmon.exe PID: 4008, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 4008, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\outstanding statement.exe	Code function: 0_2_02842300
Source: C:\Users\user\Desktop\outstanding statement.exe	Code function: 0_2_02843010
Source: C:\Users\user\Desktop\outstanding statement.exe	Code function: 0_2_028422B1
Source: C:\Users\user\Desktop\outstanding statement.exe	Code function: 0_2_028432B9
Source: C:\Users\user\Desktop\outstanding statement.exe	Code function: 0_2_028432C8
Source: C:\Users\user\Desktop\outstanding statement.exe	Code function: 0_2_028422F1
Source: C:\Users\user\Desktop\outstanding statement.exe	Code function: 0_2_02842CF8
Source: C:\Users\user\Desktop\outstanding statement.exe	Code function: 0_2_02843000
Source: C:\Users\user\Desktop\outstanding statement.exe	Code function: 0_2_0284001B
Source: C:\Users\user\Desktop\outstanding statement.exe	Code function: 0_2_02840040
Source: C:\Users\user\Desktop\outstanding statement.exe	Code function: 0_2_02842D08
Source: C:\Users\user\Desktop\outstanding statement.exe	Code function: 0_2_04E7E680
Source: C:\Users\user\Desktop\outstanding statement.exe	Code function: 0_2_04E7C374
Source: C:\Users\user\Desktop\outstanding statement.exe	Code function: 3_2_06AB0040
Source: C:\Users\user\Desktop\outstanding statement.exe	Code function: 3_2_06AA0592
Source: C:\Users\user\Desktop\outstanding statement.exe	Code function: 3_2_0135E471
Source: C:\Users\user\Desktop\outstanding statement.exe	Code function: 3_2_0135E480
Source: C:\Users\user\Desktop\outstanding statement.exe	Code function: 3_2_0135BBD4
Source: C:\Users\user\Desktop\outstanding statement.exe	Code function: 3_2_0561D640
Source: C:\Users\user\Desktop\outstanding statement.exe	Code function: 3_2_0561C6F0
Source: C:\Users\user\Desktop\outstanding statement.exe	Code function: 3_2_0561D308
Source: C:\Users\user\Desktop\outstanding statement.exe	Code function: 3_2_05613E30
Source: C:\Users\user\Desktop\outstanding statement.exe	Code function: 3_2_05614A40
Source: C:\Users\user\Desktop\outstanding statement.exe	Code function: 3_2_0561653F
Source: C:\Users\user\Desktop\outstanding statement.exe	Code function: 3_2_0561D3C6
Source: C:\Users\user\Desktop\outstanding statement.exe	Code function: 3_2_05614B08
Source: C:\Users\user\Desktop\outstanding statement.exe	Code function: 3_2_06AE2770
Source: C:\Users\user\Desktop\outstanding statement.exe	Code function: 3_2_06AE0448

Source: outstanding statement.exe, 00000000.00000002.290409484.0000000003B17000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs outstanding statement.exe
Source: outstanding statement.exe, 00000000.00000002.290409484.0000000003B17000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevNvQXl4.exeH vs outstanding statement.exe
Source: outstanding statement.exe, 00000000.00000002.305040446.0000000007400000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs outstanding statement.exe
Source: outstanding statement.exe, 00000000.00000000.242226533.00000000006CC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamevNvQXl4.exeH vs outstanding statement.exe
Source: outstanding statement.exe, 00000000.00000002.289236409.00000000039E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQuestKingdom.dllH vs outstanding statement.exe
Source: outstanding statement.exe	Binary or memory string: OriginalFilename vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000003.295097787.0000000001475000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevNvQXl4.exeH vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.548480489.0000000005620000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000003.303794652.0000000007101000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.553210177.0000000007520000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.552823390.00000000073A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.552462673.0000000007230000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.553562684.0000000007548000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.553773435.0000000007560000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.553773435.0000000007560000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.540312604.0000000004171000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.552108671.0000000007200000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.552972970.00000000073C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.530140440.0000000003149000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.530140440.0000000003149000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.530140440.0000000003149000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.530140440.0000000003149000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.530140440.0000000003149000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.530140440.0000000003149000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.530140440.0000000003149000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.530140440.0000000003149000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.530140440.0000000003149000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.530140440.0000000003149000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.530140440.0000000003149000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.530140440.0000000003149000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.553109432.00000000073D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.554047655.0000000007588000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.552899559.00000000073B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.539716386.00000000040F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.539716386.00000000040F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.539716386.00000000040F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.552699108.0000000007390000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.554222109.000000000759E000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.524034944.00000000013C9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.544886157.00000000043DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.544886157.00000000043DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.544886157.00000000043DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.544886157.00000000043DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.544886157.00000000043DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.544886157.00000000043DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.544886157.00000000043DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.544886157.00000000043DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 00000003.00000002.550294873.0000000006AA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs outstanding statement.exe
Source: outstanding statement.exe, 00000010.00000002.405556630.000000000393D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs outstanding statement.exe
Source: outstanding statement.exe, 0000001D.00000002.426017926.0000000004109000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 0000001D.00000002.426017926.0000000004109000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 0000001D.00000002.426017926.0000000004109000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 0000001D.00000002.420196088.0000000003101000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs outstanding statement.exe
Source: outstanding statement.exe, 0000001D.00000002.420196088.0000000003101000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs outstanding statement.exe
Source: outstanding statement.exe	Binary or memory string: OriginalFilenamevNvQXl4.exeH vs outstanding statement.exe

Source: outstanding statement.exe	ReversingLabs: Detection: 80%
Source: outstanding statement.exe	Virustotal: Detection: 36%
Source: outstanding statement.exe	Metadefender: Detection: 36%

Source: C:\Users\user\Desktop\outstanding statement.exe

File read: C:\Users\user\Desktop\outstanding statement.exe

Jump to behavior

Source: outstanding statement.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\outstanding statement.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\outstanding statement.exe "C:\Users\user\Desktop\outstanding statement.exe"
Source: C:\Users\user\Desktop\outstanding statement.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OIdzpXTWJYUnz" /XML "C:\Users\user\AppData\Local\Temp\tmp949C.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\outstanding statement.exe	Process created: C:\Users\user\Desktop\outstanding statement.exe {path}
Source: C:\Users\user\Desktop\outstanding statement.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpAB73.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\outstanding statement.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpAEBF.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\outstanding statement.exe "C:\Users\user\Desktop\outstanding statement.exe" 0
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Source: C:\Users\user\Desktop\outstanding statement.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Source: C:\Users\user\Desktop\outstanding statement.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OIdzpXTWJYUnz" /XML "C:\Users\user\AppData\Local\Temp\tmp27F3.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OIdzpXTWJYUnz" /XML "C:\Users\user\AppData\Local\Temp\tmp29F7.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\outstanding statement.exe	Process created: C:\Users\user\Desktop\outstanding statement.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Users\user\Desktop\outstanding statement.exe	Process created: C:\Users\user\Desktop\outstanding statement.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OIdzpXTWJYUnz" /XML "C:\Users\user\AppData\Local\Temp\tmp6644.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Users\user\Desktop\outstanding statement.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OIdzpXTWJYUnz" /XML "C:\Users\user\AppData\Local\Temp\tmp949C.tmp
Source: C:\Users\user\Desktop\outstanding statement.exe	Process created: C:\Users\user\Desktop\outstanding statement.exe {path}
Source: C:\Users\user\Desktop\outstanding statement.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpAB73.tmp
Source: C:\Users\user\Desktop\outstanding statement.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpAEBF.tmp
Source: C:\Users\user\Desktop\outstanding statement.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OIdzpXTWJYUnz" /XML "C:\Users\user\AppData\Local\Temp\tmp27F3.tmp
Source: C:\Users\user\Desktop\outstanding statement.exe	Process created: C:\Users\user\Desktop\outstanding statement.exe {path}
Source: C:\Users\user\Desktop\outstanding statement.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OIdzpXTWJYUnz" /XML "C:\Users\user\AppData\Local\Temp\tmp29F7.tmp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OIdzpXTWJYUnz" /XML "C:\Users\user\AppData\Local\Temp\tmp6644.tmp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}

Source: C:\Users\user\Desktop\outstanding statement.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: C:\Users\user\Desktop\outstanding statement.exe

File created: C:\Users\user\AppData\Roaming\OIdzpXTWJYUnz.exe

Jump to behavior

Source: C:\Users\user\Desktop\outstanding statement.exe

File created: C:\Users\user\AppData\Local\Temp\tmp949C.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@39/16@12/1

Source: C:\Users\user\Desktop\outstanding statement.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: outstanding statement.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\outstanding statement.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\outstanding statement.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\outstanding statement.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\outstanding statement.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3380:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3132:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5776:120:WilError_01
Source: C:\Users\user\Desktop\outstanding statement.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{5a26bcef-e67f-486a-8e48-1748cc7891a2}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4944:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5392:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2208:120:WilError_01

Source: C:\Users\user\Desktop\outstanding statement.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: 3.0.outstanding statement.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.0.outstanding statement.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 3.0.outstanding statement.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\outstanding statement.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: outstanding statement.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: outstanding statement.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: outstanding statement.exe, 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000003.00000002.530140440.0000000003149000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000003.00000002.552699108.0000000007390000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: outstanding statement.exe, 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000003.00000002.530140440.0000000003149000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000003.00000002.552899559.00000000073B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: outstanding statement.exe, 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000003.00000002.530140440.0000000003149000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000003.00000002.553109432.00000000073D0000.00000004.08000000.00040000.00000000.sdmp, outstanding statement.exe, 00000003.00000002.544886157.00000000043DE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: outstanding statement.exe, 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000003.00000002.552462673.0000000007230000.00000004.08000000.00040000.00000000.sdmp, outstanding statement.exe, 00000003.00000002.530140440.0000000003149000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: outstanding statement.exe, 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000003.00000002.552972970.00000000073C0000.00000004.08000000.00040000.00000000.sdmp, outstanding statement.exe, 00000003.00000002.530140440.0000000003149000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000003.00000002.544886157.00000000043DE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: outstanding statement.exe, 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000003.00000002.552823390.00000000073A0000.00000004.08000000.00040000.00000000.sdmp, outstanding statement.exe, 00000003.00000002.530140440.0000000003149000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 3.0.outstanding statement.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.outstanding statement.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\outstanding statement.exe	Code function: 0_2_02847A9D push FFFFFF8Bh; iretd
Source: C:\Users\user\Desktop\outstanding statement.exe	Code function: 0_2_028443AF push ebx; iretd
Source: C:\Users\user\Desktop\outstanding statement.exe	Code function: 0_2_02840007 push eax; iretd
Source: C:\Users\user\Desktop\outstanding statement.exe	Code function: 3_2_0561B769 push 8BB44589h; retf
Source: C:\Users\user\Desktop\outstanding statement.exe	Code function: 3_2_0561B721 push 8BB84589h; retf
Source: C:\Users\user\Desktop\outstanding statement.exe	Code function: 3_2_0561B7AD push 8BB04589h; retf
Source: C:\Users\user\Desktop\outstanding statement.exe	Code function: 3_2_0561B6D8 push 8BBC4589h; retf
Source: C:\Users\user\Desktop\outstanding statement.exe	Code function: 3_2_0561B68C push 8BC04589h; retf
Source: C:\Users\user\Desktop\outstanding statement.exe	Code function: 3_2_05611A04 push E801005Eh; ret
Source: C:\Users\user\Desktop\outstanding statement.exe	Code function: 3_2_05611AB6 push ss; ret

Source: initial sample	Static PE information: section name: .text entropy: 6.89608219692869
Source: initial sample	Static PE information: section name: .text entropy: 6.89608219692869
Source: initial sample	Static PE information: section name: .text entropy: 6.89608219692869

Source: 3.0.outstanding statement.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 3.0.outstanding statement.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\outstanding statement.exe	File created: C:\Users\user\AppData\Roaming\OIdzpXTWJYUnz.exe			Jump to dropped file
Source: C:\Users\user\Desktop\outstanding statement.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\outstanding statement.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OIdzpXTWJYUnz" /XML "C:\Users\user\AppData\Local\Temp\tmp949C.tmp

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\outstanding statement.exe

File opened: C:\Users\user\Desktop\outstanding statement.exe:Zone.Identifier read attributes | delete

Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\outstanding statement.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: outstanding statement.exe PID: 5916, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: outstanding statement.exe, 00000000.00000002.284266217.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000010.00000002.370377892.000000000268D000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000011.00000002.379481668.0000000002511000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000015.00000002.424319252.0000000002672000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: outstanding statement.exe, 00000000.00000002.284266217.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000010.00000002.370377892.000000000268D000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000011.00000002.379481668.0000000002511000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000015.00000002.424319252.0000000002672000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\outstanding statement.exe TID: 5852	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\outstanding statement.exe TID: 5844	Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Users\user\Desktop\outstanding statement.exe TID: 2528	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5380	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6096	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\outstanding statement.exe TID: 2704	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2360	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 3824	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\outstanding statement.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\outstanding statement.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\outstanding statement.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\outstanding statement.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\outstanding statement.exe	Window / User API: threadDelayed 9517
Source: C:\Users\user\Desktop\outstanding statement.exe	Window / User API: foregroundWindowGot 353

Source: C:\Users\user\Desktop\outstanding statement.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\outstanding statement.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\outstanding statement.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\outstanding statement.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\outstanding statement.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: outstanding statement.exe, 00000003.00000002.526366083.000000000147B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllw7@
Source: dhcpmon.exe, 00000015.00000002.424319252.0000000002672000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: dhcpmon.exe, 00000015.00000002.424319252.0000000002672000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: dhcpmon.exe, 00000015.00000002.424319252.0000000002672000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 00000015.00000002.424319252.0000000002672000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: dhcpmon.exe, 00000015.00000002.424319252.0000000002672000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: dhcpmon.exe, 00000015.00000002.424319252.0000000002672000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 00000015.00000002.424319252.0000000002672000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: dhcpmon.exe, 00000015.00000002.424319252.0000000002672000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: dhcpmon.exe, 00000015.00000002.424319252.0000000002672000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\outstanding statement.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\outstanding statement.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\outstanding statement.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\outstanding statement.exe	Memory written: C:\Users\user\Desktop\outstanding statement.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\outstanding statement.exe	Memory written: C:\Users\user\Desktop\outstanding statement.exe base: 400000 value starts with: 4D5A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\outstanding statement.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OIdzpXTWJYUnz" /XML "C:\Users\user\AppData\Local\Temp\tmp949C.tmp
Source: C:\Users\user\Desktop\outstanding statement.exe	Process created: C:\Users\user\Desktop\outstanding statement.exe {path}
Source: C:\Users\user\Desktop\outstanding statement.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpAB73.tmp
Source: C:\Users\user\Desktop\outstanding statement.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpAEBF.tmp
Source: C:\Users\user\Desktop\outstanding statement.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OIdzpXTWJYUnz" /XML "C:\Users\user\AppData\Local\Temp\tmp27F3.tmp
Source: C:\Users\user\Desktop\outstanding statement.exe	Process created: C:\Users\user\Desktop\outstanding statement.exe {path}
Source: C:\Users\user\Desktop\outstanding statement.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OIdzpXTWJYUnz" /XML "C:\Users\user\AppData\Local\Temp\tmp29F7.tmp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OIdzpXTWJYUnz" /XML "C:\Users\user\AppData\Local\Temp\tmp6644.tmp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}

Source: outstanding statement.exe, 00000003.00000002.534535173.0000000003343000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000003.00000002.535839657.00000000033E3000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000003.00000002.537072052.000000000347F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerh
Source: outstanding statement.exe, 00000003.00000002.532596847.0000000003257000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000003.00000002.539455528.00000000035A5000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000003.00000002.537927036.00000000034F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerpi=
Source: outstanding statement.exe, 00000003.00000002.535669291.00000000033CF000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000003.00000002.532596847.0000000003257000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000003.00000002.534231984.000000000331F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: outstanding statement.exe, 00000003.00000002.530140440.0000000003149000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerD$
Source: outstanding statement.exe, 00000003.00000002.554673445.000000000815B000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Managerram Manager
Source: outstanding statement.exe, 00000003.00000002.535088255.0000000003385000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerx

Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Users\user\Desktop\outstanding statement.exe VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Users\user\Desktop\outstanding statement.exe VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Users\user\Desktop\outstanding statement.exe VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Users\user\Desktop\outstanding statement.exe VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\outstanding statement.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\outstanding statement.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\outstanding statement.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\outstanding statement.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\outstanding statement.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\outstanding statement.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\outstanding statement.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\outstanding statement.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\outstanding statement.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\outstanding statement.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\outstanding statement.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\outstanding statement.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\outstanding statement.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\outstanding statement.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\outstanding statement.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\outstanding statement.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\outstanding statement.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\outstanding statement.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\outstanding statement.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\outstanding statement.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\outstanding statement.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\outstanding statement.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\outstanding statement.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\outstanding statement.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\outstanding statement.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\outstanding statement.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\outstanding statement.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\outstanding statement.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\outstanding statement.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\outstanding statement.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\outstanding statement.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\outstanding statement.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\outstanding statement.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\outstanding statement.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\outstanding statement.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: 0.2.outstanding statement.exe.3d387b8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.outstanding statement.exe.4150614.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.outstanding statement.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.outstanding statement.exe.5a50000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.outstanding statement.exe.4150614.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.outstanding statement.exe.414b7de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.outstanding statement.exe.4154c3d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.outstanding statement.exe.5a50000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.outstanding statement.exe.5a54629.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.outstanding statement.exe.3d387b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.outstanding statement.exe.42902a2.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.outstanding statement.exe.427bc75.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.outstanding statement.exe.426fa41.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.outstanding statement.exe.3c19a40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.290409484.0000000003B17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.271120372.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.426017926.0000000004109000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.443941283.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.548985482.0000000005A50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.420196088.0000000003101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: outstanding statement.exe PID: 5916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: outstanding statement.exe PID: 5468, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: outstanding statement.exe PID: 1276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 4008, type: MEMORYSTR

Remote Access Functionality

Detected Nanocore Rat

Source: outstanding statement.exe, 00000000.00000002.290409484.0000000003B17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: outstanding statement.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: outstanding statement.exe, 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: outstanding statement.exe, 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: outstanding statement.exe, 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: outstanding statement.exe, 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: outstanding statement.exe, 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: outstanding statement.exe, 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: outstanding statement.exe, 00000003.00000003.303794652.0000000007101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: outstanding statement.exe, 00000003.00000002.553210177.0000000007520000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: outstanding statement.exe, 00000003.00000002.552823390.00000000073A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: outstanding statement.exe, 00000003.00000002.552823390.00000000073A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: outstanding statement.exe, 00000003.00000002.552462673.0000000007230000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: outstanding statement.exe, 00000003.00000002.552462673.0000000007230000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: outstanding statement.exe, 00000003.00000002.553773435.0000000007560000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: outstanding statement.exe, 00000003.00000002.552108671.0000000007200000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: outstanding statement.exe, 00000003.00000002.552972970.00000000073C0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: outstanding statement.exe, 00000003.00000002.530140440.0000000003149000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: outstanding statement.exe, 00000003.00000002.530140440.0000000003149000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: outstanding statement.exe, 00000003.00000002.530140440.0000000003149000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: outstanding statement.exe, 00000003.00000002.530140440.0000000003149000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: outstanding statement.exe, 00000003.00000002.530140440.0000000003149000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: outstanding statement.exe, 00000003.00000002.530140440.0000000003149000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: outstanding statement.exe, 00000003.00000000.271120372.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: outstanding statement.exe, 00000003.00000002.553109432.00000000073D0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: outstanding statement.exe, 00000003.00000002.553109432.00000000073D0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: outstanding statement.exe, 00000003.00000002.552899559.00000000073B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: outstanding statement.exe, 00000003.00000002.552899559.00000000073B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: outstanding statement.exe, 00000003.00000002.539716386.00000000040F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: outstanding statement.exe, 00000003.00000002.552699108.0000000007390000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: outstanding statement.exe, 00000003.00000002.544886157.00000000043DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: outstanding statement.exe, 00000003.00000002.544886157.00000000043DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: outstanding statement.exe, 00000003.00000002.554089363.0000000007590000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: outstanding statement.exe, 00000003.00000002.550294873.0000000006AA0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: outstanding statement.exe, 00000003.00000002.553477471.0000000007540000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: outstanding statement.exe, 0000001D.00000002.426017926.0000000004109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: outstanding statement.exe, 0000001D.00000002.426017926.0000000004109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: outstanding statement.exe, 0000001D.00000002.420196088.0000000003101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: outstanding statement.exe, 0000001D.00000002.420196088.0000000003101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 00000020.00000002.443941283.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000020.00000002.443941283.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Source: Yara match	File source: 0.2.outstanding statement.exe.3d387b8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.outstanding statement.exe.4150614.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.outstanding statement.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.outstanding statement.exe.5a50000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.outstanding statement.exe.4150614.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.outstanding statement.exe.414b7de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.outstanding statement.exe.4154c3d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.outstanding statement.exe.5a50000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.outstanding statement.exe.5a54629.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.outstanding statement.exe.3d387b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.outstanding statement.exe.42902a2.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.outstanding statement.exe.427bc75.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.outstanding statement.exe.426fa41.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.outstanding statement.exe.3c19a40.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.290409484.0000000003B17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.271120372.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.426017926.0000000004109000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.443941283.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.548985482.0000000005A50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.420196088.0000000003101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: outstanding statement.exe PID: 5916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: outstanding statement.exe PID: 5468, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: outstanding statement.exe PID: 1276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 4008, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	1 Scheduled Task/Job	112 Process Injection	2 Masquerading	11 Input Capture	211 Security Software Discovery	Remote Services	11 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Remote Access Software	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	112 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	11 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Hidden Files and Directories	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	12 Software Packing	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
outstanding statement.exe	81%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
outstanding statement.exe	36%	Virustotal		Browse
outstanding statement.exe	36%	Metadefender		Browse
outstanding statement.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\OIdzpXTWJYUnz.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	81%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	36%	Metadefender		Browse
C:\Users\user\AppData\Roaming\OIdzpXTWJYUnz.exe	81%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
C:\Users\user\AppData\Roaming\OIdzpXTWJYUnz.exe	36%	Metadefender		Browse

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.0.outstanding statement.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7		Download File
3.2.outstanding statement.exe.5a50000.16.unpack	100%	Avira	TR/NanoCore.fadte		Download File

Domains

Source	Detection	Scanner	Label	Link
dera5nano.ddns.net	14%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://en.w	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.fontbureau.como	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.founder.com.cn/cns-m	0%	URL Reputation	safe
http://www.fontbureau.com2F	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.fonts.comic~	0%	Avira URL Cloud	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.founder.com.cn/cnd	0%	URL Reputation	safe
http://www.fontbureau.comB.TTFqFV	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/in	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnrin	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnus	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnlQ	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
dera5nano.ddns.net	185.216.71.194	true	true	14%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000000.00000003.250798345.0000000005983000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com2F	outstanding statement.exe, 00000000.00000002.283923620.0000000000E77000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000000.00000003.246447193.0000000005981000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000000.00000003.246469625.0000000005982000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.comic~	outstanding statement.exe, 00000000.00000003.245987301.0000000005983000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designers	outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://google.com	outstanding statement.exe, 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000003.00000002.552972970.00000000073C0000.00000004.08000000.00040000.00000000.sdmp, outstanding statement.exe, 00000003.00000002.530140440.0000000003149000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000003.00000002.544886157.00000000043DE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://en.w	outstanding statement.exe, 00000000.00000003.251131135.0000000005980000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000000.00000003.248775625.0000000005983000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000000.00000003.249051684.0000000005983000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000000.00000003.249356882.000000000596B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comB.TTFqFV	outstanding statement.exe, 00000000.00000002.283923620.0000000000E77000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.como	outstanding statement.exe, 00000000.00000002.283923620.0000000000E77000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cnrin	outstanding statement.exe, 00000000.00000003.248775625.0000000005983000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000000.00000003.249051684.0000000005983000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000000.00000003.249238521.0000000005984000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000000.00000003.245987301.0000000005983000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/in	outstanding statement.exe, 00000000.00000003.250157695.0000000005983000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000000.00000003.250061609.0000000005983000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000000.00000003.249824948.0000000005983000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000000.00000003.250228496.0000000005983000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000000.00000003.250441527.0000000005983000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000000.00000003.249574322.0000000005981000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sandoll.co.kr	outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cns-m	outstanding statement.exe, 00000000.00000003.248304884.0000000005969000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	outstanding statement.exe, 00000000.00000002.284266217.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000003.00000002.530140440.0000000003149000.00000004.00000800.00020000.00000000.sdmp, outstanding statement.exe, 00000010.00000002.370377892.000000000268D000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000011.00000002.379481668.0000000002511000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000015.00000002.421885929.000000000263D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cnlQ	outstanding statement.exe, 00000000.00000003.249051684.0000000005983000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sakkal.com	outstanding statement.exe, 00000000.00000002.298411409.0000000006C02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnus	outstanding statement.exe, 00000000.00000003.248304884.0000000005969000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cnd	outstanding statement.exe, 00000000.00000003.248362376.0000000005966000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.216.71.194	dera5nano.ddns.net	Germany		43659	CLOUDCOMPUTINGDE	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	710454
Start date and time:	2022-09-27 04:37:28 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 23s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	outstanding statement.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	42
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@39/16@12/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
TCP Packets have been reduced to 100
Excluded domains from analysis (whitelisted): fs.microsoft.com, login.live.com, displaycatalog.mp.microsoft.com, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:38:31	API Interceptor	797x Sleep call for process: outstanding statement.exe modified
04:38:46	Task Scheduler	Run new task: DHCP Monitor path: "C:\Users\user\Desktop\outstanding statement.exe" s>$(Arg0)
04:38:46	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
04:38:48	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
04:39:05	API Interceptor	2x Sleep call for process: dhcpmon.exe modified

Process:	C:\Users\user\Desktop\outstanding statement.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	764928
Entropy (8bit):	6.890085708700623
Encrypted:	false
SSDEEP:	12288:PHK2xwKKFbHecmpYAf6GZPVNzBKUcY4oqwlsLhARylQ:/KvHBu1iizgUcGqwlsL+E
MD5:	C83F7860B0C0F1AD76D8CA65C6BAD689
SHA1:	221BA6CF88DE4C688583C69E8892EC9C3804A11E
SHA-256:	94BCC238E29903CC49036DA98144DAE0C7E10526669D6C50E3B87239F8E27262
SHA-512:	B0D67DC5E4F1BFDEFD3785C33088823FABF690107B58B9EFA88C617FE2C1F679B651E7826187106B5F8F4E5B44D4B92FF7D3B9E247A908E1DDC6591FB00C8307
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 81% Antivirus: Metadefender, Detection: 36%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....+c..............P.................. ........@.. ....................................@....................................O.......\|............................................................................ ............... ..H............text...d.... ...................... ..`.rsrc...\|...........................@..@.reloc..............................@..B........................H.......d...........8...._...O............................................(....&..(......s.........s ........s!........s"........s#...........0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0...........~....o'....+...0...........~....o(....+...0..<........~.....().....,!r...p.....(...o+...s,............~.....+...0...........~.....+.."........0..&........(....r/..p~....o-...(......t$....+..*...0..&........(....r;..p~....o-...(......

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\outstanding statement.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

Download File

Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
MD5:	69206D3AF7D6EFD08F4B4726998856D3
SHA1:	E778D4BF781F7712163CF5E2F5E7C15953E484CF
SHA-256:	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
SHA-512:	CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\outstanding statement.exe.log

Download File

Process:	C:\Users\user\Desktop\outstanding statement.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
MD5:	69206D3AF7D6EFD08F4B4726998856D3
SHA1:	E778D4BF781F7712163CF5E2F5E7C15953E484CF
SHA-256:	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
SHA-512:	CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Temp\tmp27F3.tmp

Download File

Process:	C:\Users\user\Desktop\outstanding statement.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1658
Entropy (8bit):	5.173145396065913
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3QVtn:cbha7JlNQV/rydbz9I3YODOLNdq3e
MD5:	045EF4AD13327F636AD990FB75EF4745
SHA1:	B3F2D1C045FD1FB74B4CDB696CAA24131608581F
SHA-256:	51451DA82167F1BDA0611EBCCC730E04637D6F4E8EE59723D7C98864561DBD5F
SHA-512:	EB522B1E1307F8AB1650EA237C495CA4467878063D1BA13319E3235553BF5780325566E402FDE1DB38C0D41754AAED91813C7E8C340837E442C8F311DFEA6826
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail

C:\Users\user\AppData\Local\Temp\tmp29F7.tmp

Download File

Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1658
Entropy (8bit):	5.173145396065913
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3QVtn:cbha7JlNQV/rydbz9I3YODOLNdq3e
MD5:	045EF4AD13327F636AD990FB75EF4745
SHA1:	B3F2D1C045FD1FB74B4CDB696CAA24131608581F
SHA-256:	51451DA82167F1BDA0611EBCCC730E04637D6F4E8EE59723D7C98864561DBD5F
SHA-512:	EB522B1E1307F8AB1650EA237C495CA4467878063D1BA13319E3235553BF5780325566E402FDE1DB38C0D41754AAED91813C7E8C340837E442C8F311DFEA6826
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail

C:\Users\user\AppData\Local\Temp\tmp6644.tmp

Download File

Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1658
Entropy (8bit):	5.173145396065913
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3QVtn:cbha7JlNQV/rydbz9I3YODOLNdq3e
MD5:	045EF4AD13327F636AD990FB75EF4745
SHA1:	B3F2D1C045FD1FB74B4CDB696CAA24131608581F
SHA-256:	51451DA82167F1BDA0611EBCCC730E04637D6F4E8EE59723D7C98864561DBD5F
SHA-512:	EB522B1E1307F8AB1650EA237C495CA4467878063D1BA13319E3235553BF5780325566E402FDE1DB38C0D41754AAED91813C7E8C340837E442C8F311DFEA6826
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail

C:\Users\user\AppData\Local\Temp\tmp949C.tmp

Download File

Process:	C:\Users\user\Desktop\outstanding statement.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1658
Entropy (8bit):	5.173145396065913
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3QVtn:cbha7JlNQV/rydbz9I3YODOLNdq3e
MD5:	045EF4AD13327F636AD990FB75EF4745
SHA1:	B3F2D1C045FD1FB74B4CDB696CAA24131608581F
SHA-256:	51451DA82167F1BDA0611EBCCC730E04637D6F4E8EE59723D7C98864561DBD5F
SHA-512:	EB522B1E1307F8AB1650EA237C495CA4467878063D1BA13319E3235553BF5780325566E402FDE1DB38C0D41754AAED91813C7E8C340837E442C8F311DFEA6826
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail

C:\Users\user\AppData\Local\Temp\tmpAB73.tmp

Download File

Process:	C:\Users\user\Desktop\outstanding statement.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	5.075456581526247
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0V7llxtn:cbk4oL600QydbQxIYODOLedq3Sj
MD5:	BD86622E7AE294D2E629D0CD70EB4F53
SHA1:	19390333CCBCA863F566D7C7D3C3072660C38639
SHA-256:	68268C47BB1D960EED8A842158FDACEEBD8FDAB2DA338187835483435BC1FAF8
SHA-512:	4D6743EA0AA23A22E694675BC0A4D548B8C4FFE65BC1D22626ED2D2737858CFC35F0875C6D2A7554B8C1CC4599D73B2AFA841E6101D2E8B0764C2178256B21E0
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmpAEBF.tmp

Download File

Process:	C:\Users\user\Desktop\outstanding statement.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat

Download File

Process:	C:\Users\user\Desktop\outstanding statement.exe
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	7.024371743172393
Encrypted:	false
SSDEEP:	6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
MD5:	32D0AAE13696FF7F8AF33B2D22451028
SHA1:	EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
SHA-256:	5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
SHA-512:	1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Download File

Process:	C:\Users\user\Desktop\outstanding statement.exe
File Type:	ISO-8859 text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:zFl:L
MD5:	5D4F5C629F89ECD4603E80D69E56497C
SHA1:	F328E21FACD68DE538AB3327B30F245C7028D58D
SHA-256:	BCE23A45323D7F96C8C1424A2C765310C5FA219E1CD9EFCDF2E73AB1B1FBC72F
SHA-512:	FBDC364766F180C157B30C9F024D83BA7CB37E7171717EF173B490BD768CD4ACC166A6C971E5992E6376D6C03FB2C9D9E424FFD70DD5A0760F51B91F305C88B3
Malicious:	true
Preview:	..0.\|..H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin

Download File

Process:	C:\Users\user\Desktop\outstanding statement.exe
File Type:	data
Category:	modified
Size (bytes):	40
Entropy (8bit):	5.153055907333276
Encrypted:	false
SSDEEP:	3:9bzY6oRDT6P2bfVn1:RzWDT621
MD5:	4E5E92E2369688041CC82EF9650EDED2
SHA1:	15E44F2F3194EE232B44E9684163B6F66472C862
SHA-256:	F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
SHA-512:	1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
Malicious:	false
Preview:	9iH...}Z.4..f.~a........~.~.......3.U.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat

Download File

Process:	C:\Users\user\Desktop\outstanding statement.exe
File Type:	data
Category:	dropped
Size (bytes):	327432
Entropy (8bit):	7.99938831605763
Encrypted:	true
SSDEEP:	6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
MD5:	7E8F4A764B981D5B82D1CC49D341E9C6
SHA1:	D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
SHA-256:	0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
SHA-512:	880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
Malicious:	false
Preview:	pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...\|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.).....{B.[...y%...i.Q.<..xt.X..H.. ..HF7g...I.3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.\|i4...i...;O...n.?.,. ....v?.5}.OY@.dG\|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...\|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`\|.B....3.....I..o...u1..8i=.z.W..7

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat

Download File

Process:	C:\Users\user\Desktop\outstanding statement.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	51
Entropy (8bit):	4.000692381850293
Encrypted:	false
SSDEEP:	3:oNN2+WKQNL62duRkAn:oNN2RKg6LRJn
MD5:	51437E707B7C1D7245E6728854ED4C9F
SHA1:	5771D153870F91E112DF11E958231EA1A8B7B9A7
SHA-256:	390D5FF71830498A4FBDA8CAC5C3A8CA0DDB743777C18957172B8BDF0836211E
SHA-512:	76EC1C431A17C0E1B8979A1076FBBDFBA1082D28BB8FDA2C7136997DD863CD3350DB1BFC0F1D7BED4743EDA3D1334011ED04590C9DF1D624223499467488CD4D
Malicious:	false
Preview:	C:\Users\user\Desktop\outstanding statement.exe

C:\Users\user\AppData\Roaming\OIdzpXTWJYUnz.exe

Download File

Process:	C:\Users\user\Desktop\outstanding statement.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	764928
Entropy (8bit):	6.890085708700623
Encrypted:	false
SSDEEP:	12288:PHK2xwKKFbHecmpYAf6GZPVNzBKUcY4oqwlsLhARylQ:/KvHBu1iizgUcGqwlsL+E
MD5:	C83F7860B0C0F1AD76D8CA65C6BAD689
SHA1:	221BA6CF88DE4C688583C69E8892EC9C3804A11E
SHA-256:	94BCC238E29903CC49036DA98144DAE0C7E10526669D6C50E3B87239F8E27262
SHA-512:	B0D67DC5E4F1BFDEFD3785C33088823FABF690107B58B9EFA88C617FE2C1F679B651E7826187106B5F8F4E5B44D4B92FF7D3B9E247A908E1DDC6591FB00C8307
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 81% Antivirus: Metadefender, Detection: 36%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....+c..............P.................. ........@.. ....................................@....................................O.......\|............................................................................ ............... ..H............text...d.... ...................... ..`.rsrc...\|...........................@..@.reloc..............................@..B........................H.......d...........8...._...O............................................(....&..(......s.........s ........s!........s"........s#...........0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0...........~....o'....+...0...........~....o(....+...0..<........~.....().....,!r...p.....(...o+...s,............~.....+...0...........~.....+.."........0..&........(....r/..p~....o-...(......t$....+..*...0..&........(....r;..p~....o-...(......

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.890085708700623
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	outstanding statement.exe
File size:	764928
MD5:	c83f7860b0c0f1ad76d8ca65c6bad689
SHA1:	221ba6cf88de4c688583c69e8892ec9c3804a11e
SHA256:	94bcc238e29903cc49036da98144dae0c7e10526669d6c50e3b87239f8e27262
SHA512:	b0d67dc5e4f1bfdefd3785c33088823fabf690107b58b9efa88c617fe2c1f679b651e7826187106b5f8f4e5b44d4b92ff7d3b9e247a908e1ddc6591fb00c8307
SSDEEP:	12288:PHK2xwKKFbHecmpYAf6GZPVNzBKUcY4oqwlsLhARylQ:/KvHBu1iizgUcGqwlsL+E
TLSH:	F4F42A2425EB521CF4765FE95FC8B8FA499BFE61662AA0F628E073458B33E04CDD1035
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....+c..............P.................. ........@.. ....................................@................................

File Icon


Icon Hash:	0030484e96986000

Static PE Info

General

Entrypoint:	0x4bb01e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x632BD8FA [Thu Sep 22 03:39:38 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
out 27h, al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
sub eax, 33333340h
xor esi, dword ptr [ebx]
cmp eax, 00000040h
add byte ptr [eax], al
xor byte ptr [edx], 00000040h
xor esi, dword ptr [ebx]
xor esi, dword ptr [ebx]
xor esi, ebx
cmp eax, 00000040h
add byte ptr [eax], al
add byte ptr [edi], ah
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
sub eax, 66666640h
out 29h, al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbafcc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xbc000	0x147c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xbe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb9064	0xb9200	False	0.632404994513842	data	6.89608219692869	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xbc000	0x147c	0x1600	False	0.6782670454545454	data	6.473901803583799	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xbe000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xbc100	0xdf0	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_GROUP_ICON	0xbcf00	0x14	data
RT_VERSION	0xbcf24	0x358	data
RT_MANIFEST	0xbd28c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.6185.216.71.1944972010102816766 09/27/22-04:38:51.977418	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49720	1010	192.168.2.6	185.216.71.194
185.216.71.194192.168.2.61010497442841753 09/27/22-04:40:41.029927	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	1010	49744	185.216.71.194	192.168.2.6
192.168.2.6185.216.71.1944972510102816766 09/27/22-04:39:42.842313	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49725	1010	192.168.2.6	185.216.71.194
192.168.2.6185.216.71.1944972310102816766 09/27/22-04:39:17.707266	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49723	1010	192.168.2.6	185.216.71.194
192.168.2.6185.216.71.1944972710102816766 09/27/22-04:39:59.267095	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49727	1010	192.168.2.6	185.216.71.194
185.216.71.194192.168.2.61010497382841753 09/27/22-04:40:20.888739	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	1010	49738	185.216.71.194	192.168.2.6
192.168.2.6185.216.71.1944973410102816766 09/27/22-04:40:15.599094	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49734	1010	192.168.2.6	185.216.71.194
192.168.2.6185.216.71.1944972610102816766 09/27/22-04:39:50.710998	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49726	1010	192.168.2.6	185.216.71.194
192.168.2.6185.216.71.1944972210102816766 09/27/22-04:39:10.006149	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49722	1010	192.168.2.6	185.216.71.194
192.168.2.6185.216.71.1944972410102816766 09/27/22-04:39:26.449893	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49724	1010	192.168.2.6	185.216.71.194
192.168.2.6185.216.71.1944972410102816718 09/27/22-04:39:26.449893	TCP	2816718	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon	49724	1010	192.168.2.6	185.216.71.194
192.168.2.6185.216.71.1944972110102816766 09/27/22-04:39:02.212727	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49721	1010	192.168.2.6	185.216.71.194
192.168.2.6185.216.71.1944973010102816766 09/27/22-04:40:04.752952	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49730	1010	192.168.2.6	185.216.71.194
192.168.2.6185.216.71.1944973810102816766 09/27/22-04:40:20.889307	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49738	1010	192.168.2.6	185.216.71.194
192.168.2.6185.216.71.1944974410102816766 09/27/22-04:40:27.214840	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49744	1010	192.168.2.6	185.216.71.194

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2022 04:38:48.880903006 CEST	49720	1010	192.168.2.6	185.216.71.194
Sep 27, 2022 04:38:48.909274101 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:48.909415960 CEST	49720	1010	192.168.2.6	185.216.71.194
Sep 27, 2022 04:38:49.190139055 CEST	49720	1010	192.168.2.6	185.216.71.194
Sep 27, 2022 04:38:49.245604038 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.397131920 CEST	49720	1010	192.168.2.6	185.216.71.194
Sep 27, 2022 04:38:49.419725895 CEST	49720	1010	192.168.2.6	185.216.71.194
Sep 27, 2022 04:38:49.448052883 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.595479012 CEST	49720	1010	192.168.2.6	185.216.71.194
Sep 27, 2022 04:38:49.673928022 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.674000978 CEST	49720	1010	192.168.2.6	185.216.71.194
Sep 27, 2022 04:38:49.746371031 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.746431112 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.746457100 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.746478081 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.746567011 CEST	49720	1010	192.168.2.6	185.216.71.194
Sep 27, 2022 04:38:49.776268005 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.776321888 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.776361942 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.776397943 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.776401997 CEST	49720	1010	192.168.2.6	185.216.71.194
Sep 27, 2022 04:38:49.776434898 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.776443005 CEST	49720	1010	192.168.2.6	185.216.71.194
Sep 27, 2022 04:38:49.776472092 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.776509047 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.776520967 CEST	49720	1010	192.168.2.6	185.216.71.194
Sep 27, 2022 04:38:49.776547909 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.776588917 CEST	49720	1010	192.168.2.6	185.216.71.194
Sep 27, 2022 04:38:49.804235935 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.804466963 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.804524899 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.804570913 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.804591894 CEST	49720	1010	192.168.2.6	185.216.71.194
Sep 27, 2022 04:38:49.804620028 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.804639101 CEST	49720	1010	192.168.2.6	185.216.71.194
Sep 27, 2022 04:38:49.804667950 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.804713964 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.804717064 CEST	49720	1010	192.168.2.6	185.216.71.194
Sep 27, 2022 04:38:49.804763079 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.804805994 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.804807901 CEST	49720	1010	192.168.2.6	185.216.71.194
Sep 27, 2022 04:38:49.804851055 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.804892063 CEST	49720	1010	192.168.2.6	185.216.71.194
Sep 27, 2022 04:38:49.804900885 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.804944992 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.804990053 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.804990053 CEST	49720	1010	192.168.2.6	185.216.71.194
Sep 27, 2022 04:38:49.805037975 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.805083036 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.805083990 CEST	49720	1010	192.168.2.6	185.216.71.194
Sep 27, 2022 04:38:49.805130959 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.805175066 CEST	49720	1010	192.168.2.6	185.216.71.194
Sep 27, 2022 04:38:49.833092928 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.833158970 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.833205938 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.833230019 CEST	49720	1010	192.168.2.6	185.216.71.194
Sep 27, 2022 04:38:49.833260059 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.833304882 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.833306074 CEST	49720	1010	192.168.2.6	185.216.71.194
Sep 27, 2022 04:38:49.833349943 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.833394051 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.833400011 CEST	49720	1010	192.168.2.6	185.216.71.194
Sep 27, 2022 04:38:49.833436966 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.833477974 CEST	49720	1010	192.168.2.6	185.216.71.194
Sep 27, 2022 04:38:49.833479881 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.833523989 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.833566904 CEST	49720	1010	192.168.2.6	185.216.71.194
Sep 27, 2022 04:38:49.833566904 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.833612919 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.833657026 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.833659887 CEST	49720	1010	192.168.2.6	185.216.71.194
Sep 27, 2022 04:38:49.833699942 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.833741903 CEST	49720	1010	192.168.2.6	185.216.71.194
Sep 27, 2022 04:38:49.833744049 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.833787918 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.833830118 CEST	49720	1010	192.168.2.6	185.216.71.194
Sep 27, 2022 04:38:49.833831072 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.833874941 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.833918095 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.833929062 CEST	49720	1010	192.168.2.6	185.216.71.194
Sep 27, 2022 04:38:49.833962917 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.833997011 CEST	49720	1010	192.168.2.6	185.216.71.194
Sep 27, 2022 04:38:49.834007025 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.834052086 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.834089041 CEST	49720	1010	192.168.2.6	185.216.71.194
Sep 27, 2022 04:38:49.834095001 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.834137917 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.834197044 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.834199905 CEST	49720	1010	192.168.2.6	185.216.71.194
Sep 27, 2022 04:38:49.834239960 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.834278107 CEST	49720	1010	192.168.2.6	185.216.71.194
Sep 27, 2022 04:38:49.834286928 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.834331989 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.834373951 CEST	49720	1010	192.168.2.6	185.216.71.194
Sep 27, 2022 04:38:49.834374905 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.834420919 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.834461927 CEST	49720	1010	192.168.2.6	185.216.71.194
Sep 27, 2022 04:38:49.834465027 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.834510088 CEST	1010	49720	185.216.71.194	192.168.2.6
Sep 27, 2022 04:38:49.834548950 CEST	49720	1010	192.168.2.6	185.216.71.194

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2022 04:38:48.835799932 CEST	49448	53	192.168.2.6	8.8.8.8
Sep 27, 2022 04:38:48.857659101 CEST	53	49448	8.8.8.8	192.168.2.6
Sep 27, 2022 04:39:01.514961958 CEST	59082	53	192.168.2.6	8.8.8.8
Sep 27, 2022 04:39:01.534094095 CEST	53	59082	8.8.8.8	192.168.2.6
Sep 27, 2022 04:39:08.802707911 CEST	59504	53	192.168.2.6	8.8.8.8
Sep 27, 2022 04:39:08.820116043 CEST	53	59504	8.8.8.8	192.168.2.6
Sep 27, 2022 04:39:15.311350107 CEST	65198	53	192.168.2.6	8.8.8.8
Sep 27, 2022 04:39:15.331537962 CEST	53	65198	8.8.8.8	192.168.2.6
Sep 27, 2022 04:39:24.042071104 CEST	62910	53	192.168.2.6	8.8.8.8
Sep 27, 2022 04:39:24.061443090 CEST	53	62910	8.8.8.8	192.168.2.6
Sep 27, 2022 04:39:41.273905993 CEST	63863	53	192.168.2.6	8.8.8.8
Sep 27, 2022 04:39:41.295010090 CEST	53	63863	8.8.8.8	192.168.2.6
Sep 27, 2022 04:39:48.864797115 CEST	63229	53	192.168.2.6	8.8.8.8
Sep 27, 2022 04:39:48.881758928 CEST	53	63229	8.8.8.8	192.168.2.6
Sep 27, 2022 04:39:57.631242990 CEST	62538	53	192.168.2.6	8.8.8.8
Sep 27, 2022 04:39:57.653517008 CEST	53	62538	8.8.8.8	192.168.2.6
Sep 27, 2022 04:40:03.645433903 CEST	56122	53	192.168.2.6	8.8.8.8
Sep 27, 2022 04:40:03.663759947 CEST	53	56122	8.8.8.8	192.168.2.6
Sep 27, 2022 04:40:11.879111052 CEST	53943	53	192.168.2.6	8.8.8.8
Sep 27, 2022 04:40:11.898736000 CEST	53	53943	8.8.8.8	192.168.2.6
Sep 27, 2022 04:40:20.785633087 CEST	58917	53	192.168.2.6	8.8.8.8
Sep 27, 2022 04:40:20.802773952 CEST	53	58917	8.8.8.8	192.168.2.6
Sep 27, 2022 04:40:25.943315983 CEST	55629	53	192.168.2.6	8.8.8.8
Sep 27, 2022 04:40:25.964725971 CEST	53	55629	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 27, 2022 04:38:48.835799932 CEST	192.168.2.6	8.8.8.8	0x93fd	Standard query (0)	dera5nano.ddns.net	A (IP address)	IN (0x0001)	false
Sep 27, 2022 04:39:01.514961958 CEST	192.168.2.6	8.8.8.8	0x42d4	Standard query (0)	dera5nano.ddns.net	A (IP address)	IN (0x0001)	false
Sep 27, 2022 04:39:08.802707911 CEST	192.168.2.6	8.8.8.8	0xdd4c	Standard query (0)	dera5nano.ddns.net	A (IP address)	IN (0x0001)	false
Sep 27, 2022 04:39:15.311350107 CEST	192.168.2.6	8.8.8.8	0x6ecc	Standard query (0)	dera5nano.ddns.net	A (IP address)	IN (0x0001)	false
Sep 27, 2022 04:39:24.042071104 CEST	192.168.2.6	8.8.8.8	0x532e	Standard query (0)	dera5nano.ddns.net	A (IP address)	IN (0x0001)	false
Sep 27, 2022 04:39:41.273905993 CEST	192.168.2.6	8.8.8.8	0xc0cf	Standard query (0)	dera5nano.ddns.net	A (IP address)	IN (0x0001)	false
Sep 27, 2022 04:39:48.864797115 CEST	192.168.2.6	8.8.8.8	0xa069	Standard query (0)	dera5nano.ddns.net	A (IP address)	IN (0x0001)	false
Sep 27, 2022 04:39:57.631242990 CEST	192.168.2.6	8.8.8.8	0x95a4	Standard query (0)	dera5nano.ddns.net	A (IP address)	IN (0x0001)	false
Sep 27, 2022 04:40:03.645433903 CEST	192.168.2.6	8.8.8.8	0xbe03	Standard query (0)	dera5nano.ddns.net	A (IP address)	IN (0x0001)	false
Sep 27, 2022 04:40:11.879111052 CEST	192.168.2.6	8.8.8.8	0xc4a3	Standard query (0)	dera5nano.ddns.net	A (IP address)	IN (0x0001)	false
Sep 27, 2022 04:40:20.785633087 CEST	192.168.2.6	8.8.8.8	0x6b77	Standard query (0)	dera5nano.ddns.net	A (IP address)	IN (0x0001)	false
Sep 27, 2022 04:40:25.943315983 CEST	192.168.2.6	8.8.8.8	0x8778	Standard query (0)	dera5nano.ddns.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Sep 27, 2022 04:38:48.857659101 CEST	8.8.8.8	192.168.2.6	0x93fd	No error (0)	dera5nano.ddns.net	185.216.71.194	A (IP address)	IN (0x0001)	false
Sep 27, 2022 04:39:01.534094095 CEST	8.8.8.8	192.168.2.6	0x42d4	No error (0)	dera5nano.ddns.net	185.216.71.194	A (IP address)	IN (0x0001)	false
Sep 27, 2022 04:39:08.820116043 CEST	8.8.8.8	192.168.2.6	0xdd4c	No error (0)	dera5nano.ddns.net	185.216.71.194	A (IP address)	IN (0x0001)	false
Sep 27, 2022 04:39:15.331537962 CEST	8.8.8.8	192.168.2.6	0x6ecc	No error (0)	dera5nano.ddns.net	185.216.71.194	A (IP address)	IN (0x0001)	false
Sep 27, 2022 04:39:24.061443090 CEST	8.8.8.8	192.168.2.6	0x532e	No error (0)	dera5nano.ddns.net	185.216.71.194	A (IP address)	IN (0x0001)	false
Sep 27, 2022 04:39:41.295010090 CEST	8.8.8.8	192.168.2.6	0xc0cf	No error (0)	dera5nano.ddns.net	185.216.71.194	A (IP address)	IN (0x0001)	false
Sep 27, 2022 04:39:48.881758928 CEST	8.8.8.8	192.168.2.6	0xa069	No error (0)	dera5nano.ddns.net	185.216.71.194	A (IP address)	IN (0x0001)	false
Sep 27, 2022 04:39:57.653517008 CEST	8.8.8.8	192.168.2.6	0x95a4	No error (0)	dera5nano.ddns.net	185.216.71.194	A (IP address)	IN (0x0001)	false
Sep 27, 2022 04:40:03.663759947 CEST	8.8.8.8	192.168.2.6	0xbe03	No error (0)	dera5nano.ddns.net	185.216.71.194	A (IP address)	IN (0x0001)	false
Sep 27, 2022 04:40:11.898736000 CEST	8.8.8.8	192.168.2.6	0xc4a3	No error (0)	dera5nano.ddns.net	185.216.71.194	A (IP address)	IN (0x0001)	false
Sep 27, 2022 04:40:20.802773952 CEST	8.8.8.8	192.168.2.6	0x6b77	No error (0)	dera5nano.ddns.net	185.216.71.194	A (IP address)	IN (0x0001)	false
Sep 27, 2022 04:40:25.964725971 CEST	8.8.8.8	192.168.2.6	0x8778	No error (0)	dera5nano.ddns.net	185.216.71.194	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	04:38:21
Start date:	27/09/2022
Path:	C:\Users\user\Desktop\outstanding statement.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\outstanding statement.exe"
Imagebase:	0x610000
File size:	764928 bytes
MD5 hash:	C83F7860B0C0F1AD76D8CA65C6BAD689
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.290409484.0000000003B17000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.290409484.0000000003B17000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.290409484.0000000003B17000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.290409484.0000000003B17000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Analysis Process: schtasks.exePID: 5316, Parent PID: 5916

General

Target ID:	1
Start time:	04:38:34
Start date:	27/09/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OIdzpXTWJYUnz" /XML "C:\Users\user\AppData\Local\Temp\tmp949C.tmp
Imagebase:	0x1220000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 5392, Parent PID: 5316

General

Target ID:	2
Start time:	04:38:35
Start date:	27/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: outstanding statement.exePID: 5468, Parent PID: 5916

General

Target ID:	3
Start time:	04:38:35
Start date:	27/09/2022
Path:	C:\Users\user\Desktop\outstanding statement.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xbe0000
File size:	764928 bytes
MD5 hash:	C83F7860B0C0F1AD76D8CA65C6BAD689
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000003.303794652.0000000007101000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.553210177.0000000007520000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.553210177.0000000007520000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.553210177.0000000007520000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.553210177.0000000007520000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.552823390.00000000073A0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.552823390.00000000073A0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.552823390.00000000073A0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.552823390.00000000073A0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.552462673.0000000007230000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.552462673.0000000007230000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.552462673.0000000007230000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.552462673.0000000007230000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.553773435.0000000007560000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.553773435.0000000007560000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.553773435.0000000007560000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.553773435.0000000007560000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.552108671.0000000007200000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.552108671.0000000007200000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.552108671.0000000007200000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.552108671.0000000007200000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.552972970.00000000073C0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.552972970.00000000073C0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.552972970.00000000073C0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.552972970.00000000073C0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.540669244.00000000041C0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000000.271120372.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000000.271120372.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000003.00000000.271120372.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000000.271120372.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.553109432.00000000073D0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.553109432.00000000073D0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.553109432.00000000073D0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.553109432.00000000073D0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.552899559.00000000073B0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.552899559.00000000073B0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.552899559.00000000073B0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.552899559.00000000073B0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.539716386.00000000040F1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.552699108.0000000007390000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.552699108.0000000007390000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.552699108.0000000007390000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.552699108.0000000007390000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000003.00000002.530140440.0000000003149000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.530140440.0000000003149000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.554089363.0000000007590000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.554089363.0000000007590000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.554089363.0000000007590000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.554089363.0000000007590000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.548985482.0000000005A50000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.548985482.0000000005A50000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.548985482.0000000005A50000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.548985482.0000000005A50000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.548985482.0000000005A50000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.550294873.0000000006AA0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.550294873.0000000006AA0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.550294873.0000000006AA0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.550294873.0000000006AA0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.548939987.0000000005A40000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.548939987.0000000005A40000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.548939987.0000000005A40000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.548939987.0000000005A40000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000003.00000002.544886157.00000000043DE000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.544886157.00000000043DE000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.553477471.0000000007540000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.553477471.0000000007540000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.553477471.0000000007540000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.553477471.0000000007540000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low

Analysis Process: schtasks.exePID: 5700, Parent PID: 5468

General

Target ID:	9
Start time:	04:38:44
Start date:	27/09/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpAB73.tmp
Imagebase:	0x1220000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 5776, Parent PID: 5700

General

Target ID:	10
Start time:	04:38:44
Start date:	27/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: schtasks.exePID: 5436, Parent PID: 5468

General

Target ID:	12
Start time:	04:38:45
Start date:	27/09/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpAEBF.tmp
Imagebase:	0x1220000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 3132, Parent PID: 5436

General

Target ID:	13
Start time:	04:38:45
Start date:	27/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: outstanding statement.exePID: 5832, Parent PID: 1064

General

Target ID:	16
Start time:	04:38:46
Start date:	27/09/2022
Path:	C:\Users\user\Desktop\outstanding statement.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\outstanding statement.exe" 0
Imagebase:	0x110000
File size:	764928 bytes
MD5 hash:	C83F7860B0C0F1AD76D8CA65C6BAD689
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Analysis Process: dhcpmon.exePID: 3068, Parent PID: 1064

General

Target ID:	17
Start time:	04:38:47
Start date:	27/09/2022
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Imagebase:	0xf0000
File size:	764928 bytes
MD5 hash:	C83F7860B0C0F1AD76D8CA65C6BAD689
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 81%, ReversingLabs Detection: 36%, Metadefender, Browse
Reputation:	low

Analysis Process: svchost.exePID: 1276, Parent PID: 576

General

Target ID:	20
Start time:	04:38:54
Start date:	27/09/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff603c50000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: dhcpmon.exePID: 5728, Parent PID: 3452

General

Target ID:	21
Start time:	04:38:56
Start date:	27/09/2022
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Imagebase:	0x250000
File size:	764928 bytes
MD5 hash:	C83F7860B0C0F1AD76D8CA65C6BAD689
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	low

Analysis Process: schtasks.exePID: 3016, Parent PID: 5832

General

Target ID:	23
Start time:	04:39:12
Start date:	27/09/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OIdzpXTWJYUnz" /XML "C:\Users\user\AppData\Local\Temp\tmp27F3.tmp
Imagebase:	0x1220000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 2208, Parent PID: 3016

General

Target ID:	24
Start time:	04:39:13
Start date:	27/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: schtasks.exePID: 5788, Parent PID: 3068

General

Target ID:	25
Start time:	04:39:13
Start date:	27/09/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OIdzpXTWJYUnz" /XML "C:\Users\user\AppData\Local\Temp\tmp29F7.tmp
Imagebase:	0x1220000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 4944, Parent PID: 5788

General

Target ID:	26
Start time:	04:39:13
Start date:	27/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: outstanding statement.exePID: 5624, Parent PID: 5832

General

Target ID:	27
Start time:	04:39:14
Start date:	27/09/2022
Path:	C:\Users\user\Desktop\outstanding statement.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0x410000
File size:	764928 bytes
MD5 hash:	C83F7860B0C0F1AD76D8CA65C6BAD689
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: dhcpmon.exePID: 4456, Parent PID: 3068

General

Target ID:	28
Start time:	04:39:16
Start date:	27/09/2022
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0x300000
File size:	764928 bytes
MD5 hash:	C83F7860B0C0F1AD76D8CA65C6BAD689
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: outstanding statement.exePID: 1276, Parent PID: 5832

General

Target ID:	29
Start time:	04:39:17
Start date:	27/09/2022
Path:	C:\Users\user\Desktop\outstanding statement.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xd10000
File size:	764928 bytes
MD5 hash:	C83F7860B0C0F1AD76D8CA65C6BAD689
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000002.426017926.0000000004109000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001D.00000002.426017926.0000000004109000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001D.00000002.426017926.0000000004109000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000002.420196088.0000000003101000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001D.00000002.420196088.0000000003101000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001D.00000002.420196088.0000000003101000.00000004.00000800.00020000.00000000.sdmp, Author: unknown

Analysis Process: dhcpmon.exePID: 2588, Parent PID: 3068

General

Target ID:	30
Start time:	04:39:17
Start date:	27/09/2022
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0x1c0000
File size:	764928 bytes
MD5 hash:	C83F7860B0C0F1AD76D8CA65C6BAD689
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: dhcpmon.exePID: 6076, Parent PID: 3068

General

Target ID:	31
Start time:	04:39:18
Start date:	27/09/2022
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0x2f0000
File size:	764928 bytes
MD5 hash:	C83F7860B0C0F1AD76D8CA65C6BAD689
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: dhcpmon.exePID: 4008, Parent PID: 3068

General

Target ID:	32
Start time:	04:39:19
Start date:	27/09/2022
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xb20000
File size:	764928 bytes
MD5 hash:	C83F7860B0C0F1AD76D8CA65C6BAD689
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000020.00000002.443941283.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000020.00000002.443941283.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000020.00000002.443941283.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, Author: unknown

Analysis Process: schtasks.exePID: 2040, Parent PID: 5728

General

Target ID:	34
Start time:	04:39:29
Start date:	27/09/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OIdzpXTWJYUnz" /XML "C:\Users\user\AppData\Local\Temp\tmp6644.tmp
Imagebase:	0x1220000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 3380, Parent PID: 2040

General

Target ID:	35
Start time:	04:39:30
Start date:	27/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: dhcpmon.exePID: 748, Parent PID: 5728

General

Target ID:	36
Start time:	04:39:36
Start date:	27/09/2022
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x820000
File size:	764928 bytes
MD5 hash:	C83F7860B0C0F1AD76D8CA65C6BAD689
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report outstanding statement.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

AV Detection

E-Banking Fraud

Persistence and Installation Behavior

Stealing of Sensitive Information

Remote Access Functionality

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\outstanding statement.exe.log

C:\Users\user\AppData\Local\Temp\tmp27F3.tmp

C:\Users\user\AppData\Local\Temp\tmp29F7.tmp

C:\Users\user\AppData\Local\Temp\tmp6644.tmp

C:\Users\user\AppData\Local\Temp\tmp949C.tmp

C:\Users\user\AppData\Local\Temp\tmpAB73.tmp

C:\Users\user\AppData\Local\Temp\tmpAEBF.tmp

Windows Analysis Report
outstanding statement.exe

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre