Edit tour

Windows Analysis Report
Jens Frodesen CV.exe

Overview

General Information

Sample Name:	Jens Frodesen CV.exe
Analysis ID:	711362
MD5:	89197e451346ed5a3ba154f394948de7
SHA1:	0e9d39ec84881ca095a9c1400d64ec586e983402
SHA256:	dbab1bf30e571bddf1c21a19bedebffd5a348145ea76abddc34a5172df49aa3b
Tags:	exeNanoCoreRAT
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Yara detected AntiVM3

Detected Nanocore Rat

Sigma detected: Scheduled temp file as task from temp location

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses dynamic DNS services

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

Jens Frodesen CV.exe (PID: 2932 cmdline: "C:\Users\user\Desktop\Jens Frodesen CV.exe" MD5: 89197E451346ED5A3BA154F394948DE7)

schtasks.exe (PID: 5452 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LrSEeB" /XML "C:\Users\user\AppData\Local\Temp\tmp476F.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Jens Frodesen CV.exe (PID: 5344 cmdline: {path} MD5: 89197E451346ED5A3BA154F394948DE7)

schtasks.exe (PID: 4188 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp7194.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 2600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 6072 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp75AC.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Jens Frodesen CV.exe (PID: 244 cmdline: "C:\Users\user\Desktop\Jens Frodesen CV.exe" 0 MD5: 89197E451346ED5A3BA154F394948DE7)

schtasks.exe (PID: 5080 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LrSEeB" /XML "C:\Users\user\AppData\Local\Temp\tmpBFFB.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Jens Frodesen CV.exe (PID: 1540 cmdline: {path} MD5: 89197E451346ED5A3BA154F394948DE7)

Jens Frodesen CV.exe (PID: 4720 cmdline: {path} MD5: 89197E451346ED5A3BA154F394948DE7)

dhcpmon.exe (PID: 4320 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: 89197E451346ED5A3BA154F394948DE7)

schtasks.exe (PID: 5564 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LrSEeB" /XML "C:\Users\user\AppData\Local\Temp\tmpC1DF.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 3104 cmdline: {path} MD5: 89197E451346ED5A3BA154F394948DE7)

dhcpmon.exe (PID: 988 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: 89197E451346ED5A3BA154F394948DE7)

schtasks.exe (PID: 5524 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LrSEeB" /XML "C:\Users\user\AppData\Local\Temp\tmpE91E.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 5788 cmdline: {path} MD5: 89197E451346ED5A3BA154F394948DE7)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "fba1bbc6-2cc8-4c94-b6c0-dda5a12f", "Group": "Default", "Domain1": "brightnano1.ddns.net", "Domain2": "", "Port": 1989, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.544223992.0000000005DD0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
00000003.00000002.544223992.0000000005DD0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
00000003.00000002.544223992.0000000005DD0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x227f:$x2: NanoCore.ClientPlugin 0x2205:$x3: NanoCore.ClientPluginHost 0x2295:$i3: IClientNetwork 0x221f:$i6: IClientLoggingHost 0x223e:$i7: IClientNetworkHost 0x1f9f:$s1: ClientPlugin 0x2288:$s1: ClientPlugin
00000003.00000002.544223992.0000000005DD0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2205:$a1: NanoCore.ClientPluginHost 0x227f:$a2: NanoCore.ClientPlugin 0x29a0:$b7: LogClientException 0x221f:$b9: IClientLoggingHost
00000003.00000002.548893461.00000000070B0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
00000003.00000002.548893461.00000000070B0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
00000003.00000002.548893461.00000000070B0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x34e2:$x2: NanoCore.ClientPlugin 0x350b:$x3: NanoCore.ClientPluginHost 0x34d3:$i3: IClientNetwork 0x34f8:$i6: IClientLoggingHost 0x3525:$i7: IClientNetworkHost 0x334e:$s1: ClientPlugin 0x34eb:$s1: ClientPlugin
00000003.00000002.548893461.00000000070B0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x350b:$a1: NanoCore.ClientPluginHost 0x34e2:$a2: NanoCore.ClientPlugin 0x5854:$b7: LogClientException 0x34f8:$b9: IClientLoggingHost
00000003.00000002.536015397.0000000003F25000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x55ba7:$a: NanoCore 0x55c91:$a: NanoCore 0x56b08:$a: NanoCore 0x5fcb2:$a: NanoCore 0x5fd13:$a: NanoCore 0x5fd56:$a: NanoCore 0x5fd96:$a: NanoCore 0x5ffd2:$a: NanoCore 0x60072:$a: NanoCore 0x6084a:$a: NanoCore 0x60e3d:$a: NanoCore 0x60f8e:$a: NanoCore 0x61de8:$a: NanoCore 0x6204f:$a: NanoCore 0x62064:$a: NanoCore 0x62083:$a: NanoCore 0x6af86:$a: NanoCore 0x6afaf:$a: NanoCore 0x76d28:$a: NanoCore 0x76d51:$a: NanoCore 0x9bc14:$a: NanoCore
00000003.00000002.536015397.0000000003F25000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x55ba7:$a1: NanoCore.ClientPluginHost 0x5ffd2:$a1: NanoCore.ClientPluginHost 0x6afaf:$a1: NanoCore.ClientPluginHost 0x76d51:$a1: NanoCore.ClientPluginHost 0x9bc55:$a1: NanoCore.ClientPluginHost 0xab095:$a1: NanoCore.ClientPluginHost 0x55c91:$a2: NanoCore.ClientPlugin 0x60072:$a2: NanoCore.ClientPlugin 0x6af86:$a2: NanoCore.ClientPlugin 0x76d28:$a2: NanoCore.ClientPlugin 0x9bc2c:$a2: NanoCore.ClientPlugin 0xab070:$a2: NanoCore.ClientPlugin 0xab086:$b4: IClientAppHost 0x574ea:$b7: LogClientException 0x60dc8:$b7: LogClientException 0x7909a:$b7: LogClientException 0xa0c80:$b7: LogClientException 0xaf575:$b7: LogClientException 0x56afd:$b8: PipeExists 0x55bc1:$b9: IClientLoggingHost 0x5ffec:$b9: IClientLoggingHost
00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x37f6f:$a: NanoCore 0x37fc8:$a: NanoCore 0x38005:$a: NanoCore 0x3807e:$a: NanoCore 0xa9a6a:$a: NanoCore 0xa9a8f:$a: NanoCore 0xa9ae8:$a: NanoCore 0xb9ccf:$a: NanoCore 0xb9cf5:$a: NanoCore 0xb9d51:$a: NanoCore 0xc6beb:$a: NanoCore 0xc6c44:$a: NanoCore 0xc6c77:$a: NanoCore 0xc6ea3:$a: NanoCore 0xc6f1f:$a: NanoCore 0xc7538:$a: NanoCore 0xc7681:$a: NanoCore 0xc7b55:$a: NanoCore 0xc7e3c:$a: NanoCore 0xc7e53:$a: NanoCore 0xd0d37:$a: NanoCore
00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x38005:$a1: NanoCore.ClientPluginHost 0xa9a8f:$a1: NanoCore.ClientPluginHost 0xb9cf5:$a1: NanoCore.ClientPluginHost 0xc6ea3:$a1: NanoCore.ClientPluginHost 0xd0d37:$a1: NanoCore.ClientPluginHost 0xd8ca1:$a1: NanoCore.ClientPluginHost 0xdecb8:$a1: NanoCore.ClientPluginHost 0xe8767:$a1: NanoCore.ClientPluginHost 0xf2bd7:$a1: NanoCore.ClientPluginHost 0xfdbfd:$a1: NanoCore.ClientPluginHost 0x1099e7:$a1: NanoCore.ClientPluginHost 0x1157a6:$a1: NanoCore.ClientPluginHost 0x37fc8:$a2: NanoCore.ClientPlugin 0xa9a6a:$a2: NanoCore.ClientPlugin 0xb9ccf:$a2: NanoCore.ClientPlugin 0xc6f1f:$a2: NanoCore.ClientPlugin 0xd0db3:$a2: NanoCore.ClientPlugin 0xd8d1b:$a2: NanoCore.ClientPlugin 0xded02:$a2: NanoCore.ClientPlugin 0xe8851:$a2: NanoCore.ClientPlugin 0xf2c77:$a2: NanoCore.ClientPlugin
00000003.00000000.278495402.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000003.00000000.278495402.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000000.278495402.0000000000402000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000003.00000000.278495402.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xff8d:$a1: NanoCore.ClientPluginHost 0xff4d:$a2: NanoCore.ClientPlugin 0x11ea6:$b1: get_BuilderSettings 0xfda9:$b2: ClientLoaderForm.resources 0x115c6:$b3: PluginCommand 0xff7e:$b4: IClientAppHost 0x1a3fe:$b5: GetBlockHash 0x124fe:$b6: AddHostEntry 0x161f1:$b7: LogClientException 0x1246b:$b8: PipeExists 0xffb7:$b9: IClientLoggingHost
0000001C.00000002.411921875.0000000004408000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xda5:$a1: NanoCore.ClientPluginHost 0xd70:$a2: NanoCore.ClientPlugin 0xdbf:$b9: IClientLoggingHost
00000003.00000002.526400449.0000000002E2B000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1bb4:$a: NanoCore 0x1bdd:$a: NanoCore 0xd9ae:$a: NanoCore 0xd9d7:$a: NanoCore 0x19785:$a: NanoCore 0x1979d:$a: NanoCore 0x197c2:$a: NanoCore 0x23a09:$a: NanoCore 0x23a62:$a: NanoCore 0x23a9f:$a: NanoCore 0x23b18:$a: NanoCore 0x28829:$a: NanoCore 0x28882:$a: NanoCore 0x288bf:$a: NanoCore 0x28938:$a: NanoCore 0x19d4:$b: ClientPlugin 0x19e8:$b: ClientPlugin 0x1a18:$b: ClientPlugin 0x1bbd:$b: ClientPlugin 0x1be6:$b: ClientPlugin 0xd7d5:$b: ClientPlugin
00000003.00000002.526400449.0000000002E2B000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1bdd:$a1: NanoCore.ClientPluginHost 0xd9d7:$a1: NanoCore.ClientPluginHost 0x197c2:$a1: NanoCore.ClientPluginHost 0x23a9f:$a1: NanoCore.ClientPluginHost 0x288bf:$a1: NanoCore.ClientPluginHost 0x1bb4:$a2: NanoCore.ClientPlugin 0xd9ae:$a2: NanoCore.ClientPlugin 0x1979d:$a2: NanoCore.ClientPlugin 0x23a62:$a2: NanoCore.ClientPlugin 0x28882:$a2: NanoCore.ClientPlugin 0x23e36:$b1: get_BuilderSettings 0x28c56:$b1: get_BuilderSettings 0x197b3:$b4: IClientAppHost 0x23aed:$b4: IClientAppHost 0x2890d:$b4: IClientAppHost 0x23ea7:$b6: AddHostEntry 0x28cc7:$b6: AddHostEntry 0xfd20:$b7: LogClientException 0x1dca2:$b7: LogClientException 0x23f16:$b7: LogClientException 0x28d36:$b7: LogClientException
00000003.00000002.544737083.0000000006150000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000003.00000002.544737083.0000000006150000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000003.00000002.544737083.0000000006150000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000002.544737083.0000000006150000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
00000003.00000002.544737083.0000000006150000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
0000001C.00000002.405231773.0000000003391000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001C.00000002.405231773.0000000003391000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6943f:$a: NanoCore 0x69498:$a: NanoCore 0x694d5:$a: NanoCore 0x6954e:$a: NanoCore 0x694a1:$b: ClientPlugin 0x694de:$b: ClientPlugin 0x69ddc:$b: ClientPlugin 0x69de9:$b: ClientPlugin 0x5f5bb:$e: KeepAlive 0x69929:$g: LogClientMessage 0x698a9:$i: get_Connected 0x59875:$j: #=q 0x598a5:$j: #=q 0x598e1:$j: #=q 0x59909:$j: #=q 0x59939:$j: #=q 0x59969:$j: #=q 0x59999:$j: #=q 0x599c9:$j: #=q 0x599e5:$j: #=q 0x59a15:$j: #=q
0000001C.00000002.405231773.0000000003391000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x694d5:$a1: NanoCore.ClientPluginHost 0x69498:$a2: NanoCore.ClientPlugin 0x5adaf:$b1: get_BuilderSettings 0x6986c:$b1: get_BuilderSettings 0x69523:$b4: IClientAppHost 0x698dd:$b6: AddHostEntry 0x5ad1e:$b7: LogClientException 0x6994c:$b7: LogClientException 0x698c1:$b8: PipeExists 0x69510:$b9: IClientLoggingHost
00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x16b9:$a: NanoCore 0x1712:$a: NanoCore 0x174f:$a: NanoCore 0x17c8:$a: NanoCore 0x14e73:$a: NanoCore 0x14e88:$a: NanoCore 0x14ebd:$a: NanoCore 0x22ad2:$a: NanoCore 0x22af7:$a: NanoCore 0x22b50:$a: NanoCore 0x32ced:$a: NanoCore 0x32d13:$a: NanoCore 0x32d6f:$a: NanoCore 0x3fbc4:$a: NanoCore 0x3fc1d:$a: NanoCore 0x3fc50:$a: NanoCore 0x3fe7c:$a: NanoCore 0x3fef8:$a: NanoCore 0x40511:$a: NanoCore 0x4065a:$a: NanoCore 0x40b2e:$a: NanoCore
00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x174f:$a1: NanoCore.ClientPluginHost 0x14ebd:$a1: NanoCore.ClientPluginHost 0x22af7:$a1: NanoCore.ClientPluginHost 0x32d13:$a1: NanoCore.ClientPluginHost 0x3fe7c:$a1: NanoCore.ClientPluginHost 0x463ca:$a1: NanoCore.ClientPluginHost 0x4c39b:$a1: NanoCore.ClientPluginHost 0x55e07:$a1: NanoCore.ClientPluginHost 0x60232:$a1: NanoCore.ClientPluginHost 0x6b20f:$a1: NanoCore.ClientPluginHost 0x76fb1:$a1: NanoCore.ClientPluginHost 0x9beb5:$a1: NanoCore.ClientPluginHost 0xab2f5:$a1: NanoCore.ClientPluginHost 0x1712:$a2: NanoCore.ClientPlugin 0x14e88:$a2: NanoCore.ClientPlugin 0x22ad2:$a2: NanoCore.ClientPlugin 0x32ced:$a2: NanoCore.ClientPlugin 0x3fef8:$a2: NanoCore.ClientPlugin 0x46444:$a2: NanoCore.ClientPlugin 0x4c3e5:$a2: NanoCore.ClientPlugin 0x55ef1:$a2: NanoCore.ClientPlugin
00000003.00000002.541798909.0000000005400000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000003.00000002.541798909.0000000005400000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000003.00000002.541798909.0000000005400000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
00000003.00000002.541798909.0000000005400000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
00000003.00000002.548537445.0000000007080000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
00000003.00000002.548537445.0000000007080000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
00000003.00000002.548537445.0000000007080000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3a8b:$x2: NanoCore.ClientPlugin 0x39eb:$x3: NanoCore.ClientPluginHost 0x3aa1:$i3: IClientNetwork 0x3a43:$i5: IClientDataHost 0x3a05:$i6: IClientLoggingHost 0x3a24:$i7: IClientNetworkHost 0x426c:$i9: IClientNameObjectCollection 0x3741:$s1: ClientPlugin 0x3a94:$s1: ClientPlugin 0x4680:$s2: EndPoint 0x4371:$s3: IPAddress 0x3c83:$s4: IPEndPoint 0x43a3:$s7: get_Connected
00000003.00000002.548537445.0000000007080000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x39eb:$a1: NanoCore.ClientPluginHost 0x3a8b:$a2: NanoCore.ClientPlugin 0x47e1:$b7: LogClientException 0x3a05:$b9: IClientLoggingHost
00000003.00000002.531321593.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb3f5f:$a: NanoCore 0xb3f84:$a: NanoCore 0xb3fdd:$a: NanoCore 0xc417c:$a: NanoCore 0xc41a2:$a: NanoCore 0xc41fe:$a: NanoCore 0xd1055:$a: NanoCore 0xd10ae:$a: NanoCore 0xd10e1:$a: NanoCore 0xd130d:$a: NanoCore 0xd1389:$a: NanoCore 0xd19a2:$a: NanoCore 0xd1aeb:$a: NanoCore 0xd1fbf:$a: NanoCore 0xd22a6:$a: NanoCore 0xd22bd:$a: NanoCore 0xdb161:$a: NanoCore 0xdb1dd:$a: NanoCore 0xddac0:$a: NanoCore 0xe3089:$a: NanoCore 0xe3103:$a: NanoCore
00000003.00000002.531321593.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb3f84:$a1: NanoCore.ClientPluginHost 0xc41a2:$a1: NanoCore.ClientPluginHost 0xd130d:$a1: NanoCore.ClientPluginHost 0xdb161:$a1: NanoCore.ClientPluginHost 0xe3089:$a1: NanoCore.ClientPluginHost 0xe905c:$a1: NanoCore.ClientPluginHost 0xf2aca:$a1: NanoCore.ClientPluginHost 0xfcef7:$a1: NanoCore.ClientPluginHost 0x107ed6:$a1: NanoCore.ClientPluginHost 0x113c7a:$a1: NanoCore.ClientPluginHost 0x138b80:$a1: NanoCore.ClientPluginHost 0x147fc2:$a1: NanoCore.ClientPluginHost 0x16f5cb:$a1: NanoCore.ClientPluginHost 0xb3f5f:$a2: NanoCore.ClientPlugin 0xc417c:$a2: NanoCore.ClientPlugin 0xd1389:$a2: NanoCore.ClientPlugin 0xdb1dd:$a2: NanoCore.ClientPlugin 0xe3103:$a2: NanoCore.ClientPlugin 0xe90a6:$a2: NanoCore.ClientPlugin 0xf2bb4:$a2: NanoCore.ClientPlugin 0xfcf97:$a2: NanoCore.ClientPlugin
00000000.00000002.286466691.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1cc45d:$x1: NanoCore.ClientPluginHost 0x1cc49a:$x2: IClientNetworkHost 0x1cffcd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.286466691.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.286466691.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1cc1c5:$a: NanoCore 0x1cc1d5:$a: NanoCore 0x1cc409:$a: NanoCore 0x1cc41d:$a: NanoCore 0x1cc45d:$a: NanoCore 0x1cc224:$b: ClientPlugin 0x1cc426:$b: ClientPlugin 0x1cc466:$b: ClientPlugin 0x1cc34b:$c: ProjectData 0x2b0d8a:$c: ProjectData 0x1ccd52:$d: DESCrypto 0x1d471e:$e: KeepAlive 0x1d270c:$g: LogClientMessage 0x1ce907:$i: get_Connected 0x1cd088:$j: #=q 0x1cd0b8:$j: #=q 0x1cd0d4:$j: #=q 0x1cd104:$j: #=q 0x1cd120:$j: #=q 0x1cd13c:$j: #=q 0x1cd16c:$j: #=q
00000000.00000002.286466691.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1cc45d:$a1: NanoCore.ClientPluginHost 0x1cc41d:$a2: NanoCore.ClientPlugin 0x1ce376:$b1: get_BuilderSettings 0x1cc279:$b2: ClientLoaderForm.resources 0x1cda96:$b3: PluginCommand 0x1cc44e:$b4: IClientAppHost 0x1d68ce:$b5: GetBlockHash 0x1ce9ce:$b6: AddHostEntry 0x1d26c1:$b7: LogClientException 0x1ce93b:$b8: PipeExists 0x1cc487:$b9: IClientLoggingHost
00000003.00000002.549029017.00000000070C0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
00000003.00000002.549029017.00000000070C0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
00000003.00000002.549029017.00000000070C0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1f1b2:$x2: NanoCore.ClientPlugin 0x1f1db:$x3: NanoCore.ClientPluginHost 0x1f1a3:$i3: IClientNetwork 0x1f1c8:$i6: IClientLoggingHost 0x1f1f5:$i7: IClientNetworkHost 0x1f208:$i8: IClientUIHost 0x1ef12:$s1: ClientPlugin 0x1f1bb:$s1: ClientPlugin
00000003.00000002.549029017.00000000070C0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1f1db:$a1: NanoCore.ClientPluginHost 0x1f1b2:$a2: NanoCore.ClientPlugin 0x24206:$b7: LogClientException 0x1f1c8:$b9: IClientLoggingHost
00000003.00000002.542986660.0000000005DC0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
00000003.00000002.542986660.0000000005DC0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
00000003.00000002.542986660.0000000005DC0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b87:$x2: NanoCore.ClientPlugin 0x5b0b:$x3: NanoCore.ClientPluginHost 0x5b9d:$i3: IClientNetwork 0x5b25:$i6: IClientLoggingHost 0x5b44:$i7: IClientNetworkHost 0x57fb:$s1: ClientPlugin 0x5b90:$s1: ClientPlugin 0x6cf4:$s3: IPAddress
00000003.00000002.542986660.0000000005DC0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b0b:$a1: NanoCore.ClientPluginHost 0x5b87:$a2: NanoCore.ClientPlugin 0x6710:$b7: LogClientException 0x5b25:$b9: IClientLoggingHost
00000003.00000002.542226366.0000000005D60000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
00000003.00000002.542226366.0000000005D60000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
00000003.00000002.542226366.0000000005D60000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x4b87:$i3: IClientNetwork 0x4bac:$i4: IClientAppHost 0x4bd5:$i5: IClientDataHost 0x4be5:$i7: IClientNetworkHost 0x4bf8:$i9: IClientNameObjectCollection 0x4c1d:$i10: IClientReadOnlyNameObjectCollection 0x49ce:$s1: ClientPlugin 0x4b9f:$s1: ClientPlugin
00000003.00000002.542226366.0000000005D60000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x4b96:$a2: NanoCore.ClientPlugin 0x8558:$b1: get_BuilderSettings 0x4bac:$b4: IClientAppHost
00000003.00000002.548413055.0000000007070000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
00000003.00000002.548413055.0000000007070000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
00000003.00000002.548413055.0000000007070000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5ad5:$x2: NanoCore.ClientPlugin 0x59eb:$x3: NanoCore.ClientPluginHost 0x5aeb:$i3: IClientNetwork 0x5a24:$i5: IClientDataHost 0x5a05:$i6: IClientLoggingHost 0x5b48:$i7: IClientNetworkHost 0x5a43:$i8: IClientUIHost 0x6955:$i9: IClientNameObjectCollection 0x54fc:$s1: ClientPlugin 0x5ade:$s1: ClientPlugin 0x6971:$s6: get_ClientSettings
00000003.00000002.548413055.0000000007070000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x59eb:$a1: NanoCore.ClientPluginHost 0x5ad5:$a2: NanoCore.ClientPlugin 0x732e:$b7: LogClientException 0x6941:$b8: PipeExists 0x5a05:$b9: IClientLoggingHost
00000003.00000002.542387318.0000000005D70000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
00000003.00000002.542387318.0000000005D70000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
00000003.00000002.542387318.0000000005D70000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x8b70:$i3: IClientNetwork 0x8b95:$i5: IClientDataHost 0x8bbf:$i6: IClientLoggingHost 0x8bd2:$i7: IClientNetworkHost 0x8be5:$i9: IClientNameObjectCollection 0x8902:$s1: ClientPlugin 0x8b88:$s1: ClientPlugin
00000003.00000002.542387318.0000000005D70000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x8bbf:$b9: IClientLoggingHost
0000001C.00000002.411534974.00000000043EF000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xdb9:$a1: NanoCore.ClientPluginHost 0xd84:$a2: NanoCore.ClientPlugin 0xdd3:$b9: IClientLoggingHost
00000003.00000003.486665310.0000000006A38000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x286c:$a1: NanoCore.ClientPluginHost 0x2847:$a2: NanoCore.ClientPlugin 0x285d:$b4: IClientAppHost 0x6d4c:$b7: LogClientException 0x2896:$b9: IClientLoggingHost
00000003.00000002.542908530.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
00000003.00000002.542908530.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
00000003.00000002.542908530.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0x1775:$i3: IClientNetwork 0x16fd:$i6: IClientLoggingHost 0x171c:$i7: IClientNetworkHost 0x1491:$s1: ClientPlugin 0x1768:$s1: ClientPlugin
00000003.00000002.542908530.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x16e3:$a1: NanoCore.ClientPluginHost 0x175f:$a2: NanoCore.ClientPlugin 0x16fd:$b9: IClientLoggingHost
0000001D.00000002.405844203.0000000003101000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001D.00000002.405844203.0000000003101000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6940b:$a: NanoCore 0x69464:$a: NanoCore 0x694a1:$a: NanoCore 0x6951a:$a: NanoCore 0x6946d:$b: ClientPlugin 0x694aa:$b: ClientPlugin 0x69da8:$b: ClientPlugin 0x69db5:$b: ClientPlugin 0x5f587:$e: KeepAlive 0x698f5:$g: LogClientMessage 0x69875:$i: get_Connected 0x59841:$j: #=q 0x59871:$j: #=q 0x598ad:$j: #=q 0x598d5:$j: #=q 0x59905:$j: #=q 0x59935:$j: #=q 0x59965:$j: #=q 0x59995:$j: #=q 0x599b1:$j: #=q 0x599e1:$j: #=q
0000001D.00000002.405844203.0000000003101000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x694a1:$a1: NanoCore.ClientPluginHost 0x69464:$a2: NanoCore.ClientPlugin 0x5ad7b:$b1: get_BuilderSettings 0x69838:$b1: get_BuilderSettings 0x694ef:$b4: IClientAppHost 0x698a9:$b6: AddHostEntry 0x5acea:$b7: LogClientException 0x69918:$b7: LogClientException 0x6988d:$b8: PipeExists 0x694dc:$b9: IClientLoggingHost
00000003.00000002.549521024.0000000007100000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
00000003.00000002.549521024.0000000007100000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
00000003.00000002.549521024.0000000007100000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5fc9:$x2: NanoCore.ClientPlugin 0x5fee:$x3: NanoCore.ClientPluginHost 0x5fba:$i3: IClientNetwork 0x5fdf:$i4: IClientAppHost 0x6008:$i5: IClientDataHost 0x6018:$i6: IClientLoggingHost 0x602b:$i7: IClientNetworkHost 0x603e:$i8: IClientUIHost 0x604c:$i9: IClientNameObjectCollection 0x5d70:$s1: ClientPlugin 0x5fd2:$s1: ClientPlugin
00000003.00000002.549521024.0000000007100000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5fee:$a1: NanoCore.ClientPluginHost 0x5fc9:$a2: NanoCore.ClientPlugin 0x5fdf:$b4: IClientAppHost 0xa4ce:$b7: LogClientException 0x6018:$b9: IClientLoggingHost
00000003.00000002.548343986.0000000007060000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
00000003.00000002.548343986.0000000007060000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
00000003.00000002.548343986.0000000007060000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x13f2:$x2: NanoCore.ClientPlugin 0x13a8:$x3: NanoCore.ClientPluginHost 0x1408:$i3: IClientNetwork 0x13c2:$i6: IClientLoggingHost 0x1185:$s1: ClientPlugin 0x13fb:$s1: ClientPlugin
00000003.00000002.548343986.0000000007060000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x13a8:$a1: NanoCore.ClientPluginHost 0x13f2:$a2: NanoCore.ClientPlugin 0x13c2:$b9: IClientLoggingHost
00000003.00000002.535141648.0000000003EAF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000002.535141648.0000000003EAF000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1b19:$a: NanoCore 0x1b72:$a: NanoCore 0x1baf:$a: NanoCore 0x1c28:$a: NanoCore 0x152d3:$a: NanoCore 0x152e8:$a: NanoCore 0x1531d:$a: NanoCore 0x22f32:$a: NanoCore 0x22f57:$a: NanoCore 0x22fb0:$a: NanoCore 0x3314d:$a: NanoCore 0x33173:$a: NanoCore 0x331cf:$a: NanoCore 0x40024:$a: NanoCore 0x4007d:$a: NanoCore 0x400b0:$a: NanoCore 0x402dc:$a: NanoCore 0x40358:$a: NanoCore 0x40971:$a: NanoCore 0x40aba:$a: NanoCore 0x40f8e:$a: NanoCore
00000003.00000002.535141648.0000000003EAF000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1baf:$a1: NanoCore.ClientPluginHost 0x1531d:$a1: NanoCore.ClientPluginHost 0x22f57:$a1: NanoCore.ClientPluginHost 0x33173:$a1: NanoCore.ClientPluginHost 0x402dc:$a1: NanoCore.ClientPluginHost 0x4682a:$a1: NanoCore.ClientPluginHost 0x4c7fb:$a1: NanoCore.ClientPluginHost 0x56267:$a1: NanoCore.ClientPluginHost 0x60692:$a1: NanoCore.ClientPluginHost 0x6b66f:$a1: NanoCore.ClientPluginHost 0x1b72:$a2: NanoCore.ClientPlugin 0x152e8:$a2: NanoCore.ClientPlugin 0x22f32:$a2: NanoCore.ClientPlugin 0x3314d:$a2: NanoCore.ClientPlugin 0x40358:$a2: NanoCore.ClientPlugin 0x468a4:$a2: NanoCore.ClientPlugin 0x4c845:$a2: NanoCore.ClientPlugin 0x56351:$a2: NanoCore.ClientPlugin 0x60732:$a2: NanoCore.ClientPlugin 0x6b646:$a2: NanoCore.ClientPlugin 0x1f46:$b1: get_BuilderSettings
00000003.00000002.548639274.0000000007090000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
00000003.00000002.548639274.0000000007090000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
00000003.00000002.548639274.0000000007090000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b70:$x2: NanoCore.ClientPlugin 0x5b99:$x3: NanoCore.ClientPluginHost 0x5b61:$i3: IClientNetwork 0x5b86:$i6: IClientLoggingHost 0x5bb3:$i7: IClientNetworkHost 0x59d4:$s1: ClientPlugin 0x5b79:$s1: ClientPlugin 0x5e84:$s2: EndPoint 0x5e8d:$s3: IPAddress 0x5e97:$s4: IPEndPoint
00000003.00000002.548639274.0000000007090000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b99:$a1: NanoCore.ClientPluginHost 0x5b70:$a2: NanoCore.ClientPlugin 0x5b86:$b9: IClientLoggingHost
0000001C.00000002.410904877.00000000043DB000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x164b:$a1: NanoCore.ClientPluginHost 0x160e:$a2: NanoCore.ClientPlugin 0x19e2:$b1: get_BuilderSettings 0x1699:$b4: IClientAppHost 0x1a53:$b6: AddHostEntry 0x1ac2:$b7: LogClientException 0x1a37:$b8: PipeExists 0x1686:$b9: IClientLoggingHost
00000000.00000002.290258767.00000000041C1000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x954c5:$x1: NanoCore.ClientPluginHost 0x95502:$x2: IClientNetworkHost 0x99035:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.290258767.00000000041C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.290258767.00000000041C1000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x9522d:$a: NanoCore 0x9523d:$a: NanoCore 0x95471:$a: NanoCore 0x95485:$a: NanoCore 0x954c5:$a: NanoCore 0x9528c:$b: ClientPlugin 0x9548e:$b: ClientPlugin 0x954ce:$b: ClientPlugin 0x953b3:$c: ProjectData 0x16758e:$c: ProjectData 0x95dba:$d: DESCrypto 0x9d786:$e: KeepAlive 0x9b774:$g: LogClientMessage 0x9796f:$i: get_Connected 0x960f0:$j: #=q 0x96120:$j: #=q 0x9613c:$j: #=q 0x9616c:$j: #=q 0x96188:$j: #=q 0x961a4:$j: #=q 0x961d4:$j: #=q
00000000.00000002.290258767.00000000041C1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x954c5:$a1: NanoCore.ClientPluginHost 0x95485:$a2: NanoCore.ClientPlugin 0x973de:$b1: get_BuilderSettings 0x952e1:$b2: ClientLoaderForm.resources 0x96afe:$b3: PluginCommand 0x954b6:$b4: IClientAppHost 0x9f936:$b5: GetBlockHash 0x97a36:$b6: AddHostEntry 0x9b729:$b7: LogClientException 0x979a3:$b8: PipeExists 0x954ef:$b9: IClientLoggingHost
Process Memory Space: Jens Frodesen CV.exe PID: 2932	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xbf07e:$x1: NanoCore.ClientPluginHost 0x12a42c:$x1: NanoCore.ClientPluginHost 0xbf0bb:$x2: IClientNetworkHost 0x12a469:$x2: IClientNetworkHost 0xc2820:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xcd78c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x12df5a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x138fe0:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: Jens Frodesen CV.exe PID: 2932	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x825b7:$s5: AEAAAAMAAQqVT 0x5f7f1:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0x82528:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0x104aa9:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0x168ac2:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
Process Memory Space: Jens Frodesen CV.exe PID: 2932	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Jens Frodesen CV.exe PID: 2932	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Jens Frodesen CV.exe PID: 2932	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xbed95:$a: NanoCore 0xbeda5:$a: NanoCore 0xbee1a:$a: NanoCore 0xbee29:$a: NanoCore 0xbf02a:$a: NanoCore 0xbf03e:$a: NanoCore 0xbf07e:$a: NanoCore 0xc9df6:$a: NanoCore 0xc9e08:$a: NanoCore 0xc9e44:$a: NanoCore 0x12a0f9:$a: NanoCore 0x12a109:$a: NanoCore 0x12a1c8:$a: NanoCore 0x12a1d7:$a: NanoCore 0x12a3d8:$a: NanoCore 0x12a3ec:$a: NanoCore 0x12a42c:$a: NanoCore 0x13564a:$a: NanoCore 0x13565c:$a: NanoCore 0x135698:$a: NanoCore 0xbedb9:$b: ClientPlugin
Process Memory Space: Jens Frodesen CV.exe PID: 2932	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xbf07e:$a1: NanoCore.ClientPluginHost 0x12a42c:$a1: NanoCore.ClientPluginHost 0xbf03e:$a2: NanoCore.ClientPlugin 0x12a3ec:$a2: NanoCore.ClientPlugin 0xc0bd0:$b1: get_BuilderSettings 0x12c303:$b1: get_BuilderSettings 0xbedff:$b2: ClientLoaderForm.resources 0x12a1ad:$b2: ClientLoaderForm.resources 0xc0306:$b3: PluginCommand 0x12ba23:$b3: PluginCommand 0xbf06f:$b4: IClientAppHost 0x12a41d:$b4: IClientAppHost 0xc911c:$b5: GetBlockHash 0x134856:$b5: GetBlockHash 0xc1221:$b6: AddHostEntry 0xcc226:$b6: AddHostEntry 0x12c95b:$b6: AddHostEntry 0x137a7a:$b6: AddHostEntry 0xc4f14:$b7: LogClientException 0xcfd67:$b7: LogClientException 0x13064e:$b7: LogClientException
Process Memory Space: Jens Frodesen CV.exe PID: 5344	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xfb6f:$x1: NanoCore.ClientPluginHost 0x6185c:$x1: NanoCore.ClientPluginHost 0x63f78:$x1: NanoCore.ClientPluginHost 0x6c3ca:$x1: NanoCore.ClientPluginHost 0xaa35a:$x1: NanoCore.ClientPluginHost 0xc1d5e:$x1: NanoCore.ClientPluginHost 0x120c1a:$x1: NanoCore.ClientPluginHost 0x17b78d:$x1: NanoCore.ClientPluginHost 0x197669:$x1: NanoCore.ClientPluginHost 0x1ad5a0:$x1: NanoCore.ClientPluginHost 0x1c771c:$x1: NanoCore.ClientPluginHost 0x1d2bc1:$x1: NanoCore.ClientPluginHost 0x207b9b:$x1: NanoCore.ClientPluginHost 0x20fa7e:$x1: NanoCore.ClientPluginHost 0x213757:$x1: NanoCore.ClientPluginHost 0x217cd5:$x1: NanoCore.ClientPluginHost 0x21cc3d:$x1: NanoCore.ClientPluginHost 0x22faa5:$x1: NanoCore.ClientPluginHost 0x24fb1d:$x1: NanoCore.ClientPluginHost 0x258fd5:$x1: NanoCore.ClientPluginHost 0x25c25b:$x1: NanoCore.ClientPluginHost
Process Memory Space: Jens Frodesen CV.exe PID: 5344	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Jens Frodesen CV.exe PID: 5344	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x231a:$a: NanoCore 0x25ee:$a: NanoCore 0x25ff:$a: NanoCore 0x28bb:$a: NanoCore 0x4fdd:$a: NanoCore 0x5039:$a: NanoCore 0x50b8:$a: NanoCore 0xfad9:$a: NanoCore 0xfb32:$a: NanoCore 0xfb6f:$a: NanoCore 0xfbe8:$a: NanoCore 0x1048c:$a: NanoCore 0x104df:$a: NanoCore 0x10518:$a: NanoCore 0x1058b:$a: NanoCore 0x29316:$a: NanoCore 0x29339:$a: NanoCore 0x2938e:$a: NanoCore 0x342a5:$a: NanoCore 0x342c9:$a: NanoCore 0x34321:$a: NanoCore
Process Memory Space: Jens Frodesen CV.exe PID: 5344	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xfb6f:$a1: NanoCore.ClientPluginHost 0x6185c:$a1: NanoCore.ClientPluginHost 0x63f78:$a1: NanoCore.ClientPluginHost 0x6c3ca:$a1: NanoCore.ClientPluginHost 0xaa35a:$a1: NanoCore.ClientPluginHost 0xc1d5e:$a1: NanoCore.ClientPluginHost 0x120c1a:$a1: NanoCore.ClientPluginHost 0x17b78d:$a1: NanoCore.ClientPluginHost 0x197669:$a1: NanoCore.ClientPluginHost 0x1ad5a0:$a1: NanoCore.ClientPluginHost 0x1c771c:$a1: NanoCore.ClientPluginHost 0x1d2bc1:$a1: NanoCore.ClientPluginHost 0x207b9b:$a1: NanoCore.ClientPluginHost 0x20fa7e:$a1: NanoCore.ClientPluginHost 0x213757:$a1: NanoCore.ClientPluginHost 0x217cd5:$a1: NanoCore.ClientPluginHost 0x21cc3d:$a1: NanoCore.ClientPluginHost 0x22faa5:$a1: NanoCore.ClientPluginHost 0x24fb1d:$a1: NanoCore.ClientPluginHost 0x258fd5:$a1: NanoCore.ClientPluginHost 0x25c25b:$a1: NanoCore.ClientPluginHost
Process Memory Space: Jens Frodesen CV.exe PID: 244	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x4b10:$s5: AEAAAAMAAQqVT 0x4a81:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0x1ce3e:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
Process Memory Space: dhcpmon.exe PID: 4320	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x3d3a:$s5: AEAAAAMAAQqVT 0x3cab:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0x1dd22:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
Process Memory Space: dhcpmon.exe PID: 988	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x1b8eb:$s5: AEAAAAMAAQqVT 0xc4da:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0x1b85c:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
Process Memory Space: dhcpmon.exe PID: 3104	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 3104	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x437a:$a: NanoCore 0x43d6:$a: NanoCore 0x445e:$a: NanoCore 0x19e37:$a: NanoCore 0x19e90:$a: NanoCore 0x19ecd:$a: NanoCore 0x19f46:$a: NanoCore 0x1a6d4:$a: NanoCore 0x1a727:$a: NanoCore 0x1a760:$a: NanoCore 0x1a7d3:$a: NanoCore 0x1b3ab:$a: NanoCore 0x1c790:$a: NanoCore 0x1c7a5:$a: NanoCore 0x1c7da:$a: NanoCore 0x1cb77:$a: NanoCore 0x1cb8a:$a: NanoCore 0x1cbbc:$a: NanoCore 0x26f37:$a: NanoCore 0x26f4c:$a: NanoCore 0x26f81:$a: NanoCore
Process Memory Space: dhcpmon.exe PID: 3104	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x19ecd:$a1: NanoCore.ClientPluginHost 0x1c7da:$a1: NanoCore.ClientPluginHost 0x26f81:$a1: NanoCore.ClientPluginHost 0x2a6cc:$a1: NanoCore.ClientPluginHost 0x19e90:$a2: NanoCore.ClientPlugin 0x1c7a5:$a2: NanoCore.ClientPlugin 0x26f4c:$a2: NanoCore.ClientPlugin 0x2a68f:$a2: NanoCore.ClientPlugin 0x13618:$b1: get_BuilderSettings 0x254d1:$b1: get_BuilderSettings 0x2aa46:$b1: get_BuilderSettings 0x19f1b:$b4: IClientAppHost 0x2a71a:$b4: IClientAppHost 0x1a22e:$b6: AddHostEntry 0x2aab7:$b6: AddHostEntry 0x13587:$b7: LogClientException 0x25440:$b7: LogClientException 0x2ab26:$b7: LogClientException 0x1a212:$b8: PipeExists 0x2aa9b:$b8: PipeExists 0x19f08:$b9: IClientLoggingHost
Process Memory Space: Jens Frodesen CV.exe PID: 4720	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Jens Frodesen CV.exe PID: 4720	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xebc8:$a: NanoCore 0xec24:$a: NanoCore 0xeca4:$a: NanoCore 0x24459:$a: NanoCore 0x244b2:$a: NanoCore 0x244ef:$a: NanoCore 0x24568:$a: NanoCore 0x24cf6:$a: NanoCore 0x24d49:$a: NanoCore 0x24d82:$a: NanoCore 0x24df5:$a: NanoCore 0x25938:$a: NanoCore 0x27a41:$a: NanoCore 0x7b39:$b: ClientPlugin 0x7b7a:$b: ClientPlugin 0x1f7b2:$b: ClientPlugin 0x1f7f3:$b: ClientPlugin 0x244bb:$b: ClientPlugin 0x244f8:$b: ClientPlugin 0x24ca6:$b: ClientPlugin 0x24cb3:$b: ClientPlugin
Process Memory Space: Jens Frodesen CV.exe PID: 4720	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x244ef:$a1: NanoCore.ClientPluginHost 0x244b2:$a2: NanoCore.ClientPlugin 0x3d7a:$b1: get_BuilderSettings 0x1dc3a:$b1: get_BuilderSettings 0x2453d:$b4: IClientAppHost 0x24850:$b6: AddHostEntry 0x3ce9:$b7: LogClientException 0x1dba9:$b7: LogClientException 0x24834:$b8: PipeExists 0x2452a:$b9: IClientLoggingHost
Click to see the 108 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.Jens Frodesen CV.exe.7080000.30.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.7080000.30.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.7080000.30.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3a8b:$x2: NanoCore.ClientPlugin 0x39eb:$x3: NanoCore.ClientPluginHost 0x3aa1:$i3: IClientNetwork 0x3a43:$i5: IClientDataHost 0x3a05:$i6: IClientLoggingHost 0x3a24:$i7: IClientNetworkHost 0x426c:$i9: IClientNameObjectCollection 0x3741:$s1: ClientPlugin 0x3a94:$s1: ClientPlugin 0x4680:$s2: EndPoint 0x4371:$s3: IPAddress 0x3c83:$s4: IPEndPoint 0x43a3:$s7: get_Connected
3.2.Jens Frodesen CV.exe.7080000.30.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x39eb:$a1: NanoCore.ClientPluginHost 0x3a8b:$a2: NanoCore.ClientPlugin 0x47e1:$b7: LogClientException 0x3a05:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.2c22150.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d53:$x1: NanoCore.ClientPluginHost 0x1fbe7:$x1: NanoCore.ClientPluginHost 0x27b51:$x1: NanoCore.ClientPluginHost 0x2db68:$x1: NanoCore.ClientPluginHost 0x37617:$x1: NanoCore.ClientPluginHost 0x41a87:$x1: NanoCore.ClientPluginHost 0x4caad:$x1: NanoCore.ClientPluginHost 0x58897:$x1: NanoCore.ClientPluginHost 0x64656:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d8c:$x2: IClientNetworkHost 0x1fc20:$x2: IClientNetworkHost 0x27b8a:$x2: IClientNetworkHost 0x37774:$x2: IClientNetworkHost 0x41ac0:$x2: IClientNetworkHost 0x4cac7:$x2: IClientNetworkHost 0x588b1:$x2: IClientNetworkHost 0x64693:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.2c22150.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x15d53:$x2: NanoCore.ClientPluginHost 0x1fbe7:$x2: NanoCore.ClientPluginHost 0x27b51:$x2: NanoCore.ClientPluginHost 0x2db68:$x2: NanoCore.ClientPluginHost 0x37617:$x2: NanoCore.ClientPluginHost 0x41a87:$x2: NanoCore.ClientPluginHost 0x4caad:$x2: NanoCore.ClientPluginHost 0x58897:$x2: NanoCore.ClientPluginHost 0x64656:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0x3856d:$s3: PipeExists 0xe576:$s4: PipeCreated 0x15e70:$s4: PipeCreated 0x1fceb:$s4: PipeCreated 0x27c6c:$s4: PipeCreated 0x2dc46:$s4: PipeCreated 0x3780d:$s4: PipeCreated 0x41bd2:$s4: PipeCreated 0x4dae2:$s4: PipeCreated 0x5a642:$s4: PipeCreated
3.2.Jens Frodesen CV.exe.2c22150.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x15dcf:$x2: NanoCore.ClientPlugin 0x1fc63:$x2: NanoCore.ClientPlugin 0x27bcb:$x2: NanoCore.ClientPlugin 0x2dbb2:$x2: NanoCore.ClientPlugin 0x37701:$x2: NanoCore.ClientPlugin 0x41b27:$x2: NanoCore.ClientPlugin 0x4ca84:$x2: NanoCore.ClientPlugin 0x5886e:$x2: NanoCore.ClientPlugin 0x64631:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x15d53:$x3: NanoCore.ClientPluginHost 0x1fbe7:$x3: NanoCore.ClientPluginHost 0x27b51:$x3: NanoCore.ClientPluginHost 0x2db68:$x3: NanoCore.ClientPluginHost 0x37617:$x3: NanoCore.ClientPluginHost 0x41a87:$x3: NanoCore.ClientPluginHost 0x4caad:$x3: NanoCore.ClientPluginHost 0x58897:$x3: NanoCore.ClientPluginHost 0x64656:$x3: NanoCore.ClientPluginHost 0x8b70:$i3: IClientNetwork
3.2.Jens Frodesen CV.exe.2c22150.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a9b:$a: NanoCore 0x15af4:$a: NanoCore 0x15b27:$a: NanoCore 0x15d53:$a: NanoCore 0x15dcf:$a: NanoCore 0x163e8:$a: NanoCore 0x16531:$a: NanoCore 0x16a05:$a: NanoCore 0x16cec:$a: NanoCore 0x16d03:$a: NanoCore 0x1fbe7:$a: NanoCore 0x1fc63:$a: NanoCore 0x22546:$a: NanoCore 0x27b51:$a: NanoCore 0x27bcb:$a: NanoCore 0x2db68:$a: NanoCore 0x2dbb2:$a: NanoCore 0x2e80c:$a: NanoCore
3.2.Jens Frodesen CV.exe.2c22150.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x15d53:$a1: NanoCore.ClientPluginHost 0x1fbe7:$a1: NanoCore.ClientPluginHost 0x27b51:$a1: NanoCore.ClientPluginHost 0x2db68:$a1: NanoCore.ClientPluginHost 0x37617:$a1: NanoCore.ClientPluginHost 0x41a87:$a1: NanoCore.ClientPluginHost 0x4caad:$a1: NanoCore.ClientPluginHost 0x58897:$a1: NanoCore.ClientPluginHost 0x64656:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x15dcf:$a2: NanoCore.ClientPlugin 0x1fc63:$a2: NanoCore.ClientPlugin 0x27bcb:$a2: NanoCore.ClientPlugin 0x2dbb2:$a2: NanoCore.ClientPlugin 0x37701:$a2: NanoCore.ClientPlugin 0x41b27:$a2: NanoCore.ClientPlugin 0x4ca84:$a2: NanoCore.ClientPlugin 0x5886e:$a2: NanoCore.ClientPlugin 0x64631:$a2: NanoCore.ClientPlugin 0x64647:$b4: IClientAppHost
3.2.Jens Frodesen CV.exe.2c15ed4.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x14e21:$x1: NanoCore.ClientPluginHost 0x21fcf:$x1: NanoCore.ClientPluginHost 0x2be63:$x1: NanoCore.ClientPluginHost 0x33dcd:$x1: NanoCore.ClientPluginHost 0x39de4:$x1: NanoCore.ClientPluginHost 0x43893:$x1: NanoCore.ClientPluginHost 0x4dd03:$x1: NanoCore.ClientPluginHost 0x58d29:$x1: NanoCore.ClientPluginHost 0x64b13:$x1: NanoCore.ClientPluginHost 0x708d2:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x14e4e:$x2: IClientNetworkHost 0x22008:$x2: IClientNetworkHost 0x2be9c:$x2: IClientNetworkHost 0x33e06:$x2: IClientNetworkHost 0x439f0:$x2: IClientNetworkHost 0x4dd3c:$x2: IClientNetworkHost 0x58d43:$x2: IClientNetworkHost 0x64b2d:$x2: IClientNetworkHost 0x7090f:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.2c15ed4.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x14e21:$x2: NanoCore.ClientPluginHost 0x21fcf:$x2: NanoCore.ClientPluginHost 0x2be63:$x2: NanoCore.ClientPluginHost 0x33dcd:$x2: NanoCore.ClientPluginHost 0x39de4:$x2: NanoCore.ClientPluginHost 0x43893:$x2: NanoCore.ClientPluginHost 0x4dd03:$x2: NanoCore.ClientPluginHost 0x58d29:$x2: NanoCore.ClientPluginHost 0x64b13:$x2: NanoCore.ClientPluginHost 0x708d2:$x2: NanoCore.ClientPluginHost 0x15df0:$s2: FileCommand 0x447e9:$s3: PipeExists 0x6a6b:$s4: PipeCreated 0x1a7f2:$s4: PipeCreated 0x220ec:$s4: PipeCreated 0x2bf67:$s4: PipeCreated 0x33ee8:$s4: PipeCreated 0x39ec2:$s4: PipeCreated 0x43a89:$s4: PipeCreated 0x4de4e:$s4: PipeCreated
3.2.Jens Frodesen CV.exe.2c15ed4.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x14dfb:$x2: NanoCore.ClientPlugin 0x2204b:$x2: NanoCore.ClientPlugin 0x2bedf:$x2: NanoCore.ClientPlugin 0x33e47:$x2: NanoCore.ClientPlugin 0x39e2e:$x2: NanoCore.ClientPlugin 0x4397d:$x2: NanoCore.ClientPlugin 0x4dda3:$x2: NanoCore.ClientPlugin 0x58d00:$x2: NanoCore.ClientPlugin 0x64aea:$x2: NanoCore.ClientPlugin 0x708ad:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x14e21:$x3: NanoCore.ClientPluginHost 0x21fcf:$x3: NanoCore.ClientPluginHost 0x2be63:$x3: NanoCore.ClientPluginHost 0x33dcd:$x3: NanoCore.ClientPluginHost 0x39de4:$x3: NanoCore.ClientPluginHost 0x43893:$x3: NanoCore.ClientPluginHost 0x4dd03:$x3: NanoCore.ClientPluginHost 0x58d29:$x3: NanoCore.ClientPluginHost 0x64b13:$x3: NanoCore.ClientPluginHost
3.2.Jens Frodesen CV.exe.2c15ed4.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14dfb:$a: NanoCore 0x14e21:$a: NanoCore 0x14e7d:$a: NanoCore 0x21d17:$a: NanoCore 0x21d70:$a: NanoCore 0x21da3:$a: NanoCore 0x21fcf:$a: NanoCore 0x2204b:$a: NanoCore 0x22664:$a: NanoCore 0x227ad:$a: NanoCore 0x22c81:$a: NanoCore 0x22f68:$a: NanoCore 0x22f7f:$a: NanoCore 0x2be63:$a: NanoCore 0x2bedf:$a: NanoCore 0x2e7c2:$a: NanoCore 0x33dcd:$a: NanoCore 0x33e47:$a: NanoCore
3.2.Jens Frodesen CV.exe.2c15ed4.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x14e21:$a1: NanoCore.ClientPluginHost 0x21fcf:$a1: NanoCore.ClientPluginHost 0x2be63:$a1: NanoCore.ClientPluginHost 0x33dcd:$a1: NanoCore.ClientPluginHost 0x39de4:$a1: NanoCore.ClientPluginHost 0x43893:$a1: NanoCore.ClientPluginHost 0x4dd03:$a1: NanoCore.ClientPluginHost 0x58d29:$a1: NanoCore.ClientPluginHost 0x64b13:$a1: NanoCore.ClientPluginHost 0x708d2:$a1: NanoCore.ClientPluginHost 0x4b96:$a2: NanoCore.ClientPlugin 0x14dfb:$a2: NanoCore.ClientPlugin 0x2204b:$a2: NanoCore.ClientPlugin 0x2bedf:$a2: NanoCore.ClientPlugin 0x33e47:$a2: NanoCore.ClientPlugin 0x39e2e:$a2: NanoCore.ClientPlugin 0x4397d:$a2: NanoCore.ClientPlugin 0x4dda3:$a2: NanoCore.ClientPlugin 0x58d00:$a2: NanoCore.ClientPlugin 0x64aea:$a2: NanoCore.ClientPlugin
3.2.Jens Frodesen CV.exe.70c0000.35.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.70c0000.35.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.70c0000.35.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1f1b2:$x2: NanoCore.ClientPlugin 0x1f1db:$x3: NanoCore.ClientPluginHost 0x1f1a3:$i3: IClientNetwork 0x1f1c8:$i6: IClientLoggingHost 0x1f1f5:$i7: IClientNetworkHost 0x1f208:$i8: IClientUIHost 0x1ef12:$s1: ClientPlugin 0x1f1bb:$s1: ClientPlugin
3.2.Jens Frodesen CV.exe.70c0000.35.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1f1db:$a1: NanoCore.ClientPluginHost 0x1f1b2:$a2: NanoCore.ClientPlugin 0x24206:$b7: LogClientException 0x1f1c8:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.3d9a5fd.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.3d9a5fd.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.3d9a5fd.8.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x6d7f:$x2: NanoCore.ClientPlugin 0x6da5:$x3: NanoCore.ClientPluginHost 0x6d70:$i3: IClientNetwork 0x6d95:$i5: IClientDataHost 0x6dbf:$i6: IClientLoggingHost 0x6dd2:$i7: IClientNetworkHost 0x6de5:$i9: IClientNameObjectCollection 0x6b02:$s1: ClientPlugin 0x6d88:$s1: ClientPlugin
3.2.Jens Frodesen CV.exe.3d9a5fd.8.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6da5:$a1: NanoCore.ClientPluginHost 0x6d7f:$a2: NanoCore.ClientPlugin 0x6dbf:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.4015710.17.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.4015710.17.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.4015710.17.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.Jens Frodesen CV.exe.4015710.17.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
3.2.Jens Frodesen CV.exe.4015710.17.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.5dd0000.24.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.5dd0000.24.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.5dd0000.24.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x227f:$x2: NanoCore.ClientPlugin 0x2205:$x3: NanoCore.ClientPluginHost 0x2295:$i3: IClientNetwork 0x221f:$i6: IClientLoggingHost 0x223e:$i7: IClientNetworkHost 0x1f9f:$s1: ClientPlugin 0x2288:$s1: ClientPlugin
3.2.Jens Frodesen CV.exe.5dd0000.24.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2205:$a1: NanoCore.ClientPluginHost 0x227f:$a2: NanoCore.ClientPlugin 0x29a0:$b7: LogClientException 0x221f:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.5dc0000.23.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3f0b:$x1: NanoCore.ClientPluginHost 0x3f44:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.5dc0000.23.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3f0b:$x2: NanoCore.ClientPluginHost 0x400f:$s4: PipeCreated 0x3f25:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.5dc0000.23.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3f87:$x2: NanoCore.ClientPlugin 0x3f0b:$x3: NanoCore.ClientPluginHost 0x3f9d:$i3: IClientNetwork 0x3f25:$i6: IClientLoggingHost 0x3f44:$i7: IClientNetworkHost 0x3bfb:$s1: ClientPlugin 0x3f90:$s1: ClientPlugin 0x50f4:$s3: IPAddress
3.2.Jens Frodesen CV.exe.5dc0000.23.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3f0b:$a1: NanoCore.ClientPluginHost 0x3f87:$a2: NanoCore.ClientPlugin 0x4b10:$b7: LogClientException 0x3f25:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.5d70000.21.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.5d70000.21.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.5d70000.21.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x8b70:$i3: IClientNetwork 0x8b95:$i5: IClientDataHost 0x8bbf:$i6: IClientLoggingHost 0x8bd2:$i7: IClientNetworkHost 0x8be5:$i9: IClientNameObjectCollection 0x8902:$s1: ClientPlugin 0x8b88:$s1: ClientPlugin
3.2.Jens Frodesen CV.exe.5d70000.21.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x8bbf:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.3f815e7.13.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.3f815e7.13.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.3f815e7.13.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1e8b:$x2: NanoCore.ClientPlugin 0x1deb:$x3: NanoCore.ClientPluginHost 0x1ea1:$i3: IClientNetwork 0x1e43:$i5: IClientDataHost 0x1e05:$i6: IClientLoggingHost 0x1e24:$i7: IClientNetworkHost 0x266c:$i9: IClientNameObjectCollection 0x1b41:$s1: ClientPlugin 0x1e94:$s1: ClientPlugin 0x2a80:$s2: EndPoint 0x2771:$s3: IPAddress 0x2083:$s4: IPEndPoint 0x27a3:$s7: get_Connected
3.2.Jens Frodesen CV.exe.3f815e7.13.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1deb:$a1: NanoCore.ClientPluginHost 0x1e8b:$a2: NanoCore.ClientPlugin 0x2be1:$b7: LogClientException 0x1e05:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.7070000.29.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.7070000.29.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.7070000.29.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5ad5:$x2: NanoCore.ClientPlugin 0x59eb:$x3: NanoCore.ClientPluginHost 0x5aeb:$i3: IClientNetwork 0x5a24:$i5: IClientDataHost 0x5a05:$i6: IClientLoggingHost 0x5b48:$i7: IClientNetworkHost 0x5a43:$i8: IClientUIHost 0x6955:$i9: IClientNameObjectCollection 0x54fc:$s1: ClientPlugin 0x5ade:$s1: ClientPlugin 0x6971:$s6: get_ClientSettings
3.2.Jens Frodesen CV.exe.7070000.29.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x59eb:$a1: NanoCore.ClientPluginHost 0x5ad5:$a2: NanoCore.ClientPlugin 0x732e:$b7: LogClientException 0x6941:$b8: PipeExists 0x5a05:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.70b0000.32.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.70b0000.32.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.70b0000.32.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x16e2:$x2: NanoCore.ClientPlugin 0x170b:$x3: NanoCore.ClientPluginHost 0x16d3:$i3: IClientNetwork 0x16f8:$i6: IClientLoggingHost 0x1725:$i7: IClientNetworkHost 0x154e:$s1: ClientPlugin 0x16eb:$s1: ClientPlugin
3.2.Jens Frodesen CV.exe.70b0000.32.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x170b:$a1: NanoCore.ClientPluginHost 0x16e2:$a2: NanoCore.ClientPlugin 0x3a54:$b7: LogClientException 0x16f8:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.3f815e7.13.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0xe9c8:$x1: NanoCore.ClientPluginHost 0x1a76a:$x1: NanoCore.ClientPluginHost 0x3f66e:$x1: NanoCore.ClientPluginHost 0x4eaae:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost 0xe9e2:$x2: IClientNetworkHost 0x1a784:$x2: IClientNetworkHost 0x3f688:$x2: IClientNetworkHost 0x4eaeb:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.3f815e7.13.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0xe9c8:$x2: NanoCore.ClientPluginHost 0x1a76a:$x2: NanoCore.ClientPluginHost 0x3f66e:$x2: NanoCore.ClientPluginHost 0x4eaae:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0xf9fd:$s4: PipeCreated 0x1c515:$s4: PipeCreated 0x429ab:$s4: PipeCreated 0x51f01:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost 0xe9b5:$s5: IClientLoggingHost 0x1a757:$s5: IClientLoggingHost 0x3f65b:$s5: IClientLoggingHost 0x4ead8:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.3f815e7.13.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3a8b:$x2: NanoCore.ClientPlugin 0xe99f:$x2: NanoCore.ClientPlugin 0x1a741:$x2: NanoCore.ClientPlugin 0x3f645:$x2: NanoCore.ClientPlugin 0x4ea89:$x2: NanoCore.ClientPlugin 0x39eb:$x3: NanoCore.ClientPluginHost 0xe9c8:$x3: NanoCore.ClientPluginHost 0x1a76a:$x3: NanoCore.ClientPluginHost 0x3f66e:$x3: NanoCore.ClientPluginHost 0x4eaae:$x3: NanoCore.ClientPluginHost 0x3aa1:$i3: IClientNetwork 0xe990:$i3: IClientNetwork 0x1a732:$i3: IClientNetwork 0x3f636:$i3: IClientNetwork 0x4ea7a:$i3: IClientNetwork 0x4ea9f:$i4: IClientAppHost 0x3a43:$i5: IClientDataHost 0x4eac8:$i5: IClientDataHost 0x3a05:$i6: IClientLoggingHost 0xe9b5:$i6: IClientLoggingHost 0x1a757:$i6: IClientLoggingHost
3.2.Jens Frodesen CV.exe.3f815e7.13.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x36cb:$a: NanoCore 0x372c:$a: NanoCore 0x376f:$a: NanoCore 0x37af:$a: NanoCore 0x39eb:$a: NanoCore 0x3a8b:$a: NanoCore 0x4263:$a: NanoCore 0x4856:$a: NanoCore 0x49a7:$a: NanoCore 0x5801:$a: NanoCore 0x5a68:$a: NanoCore 0x5a7d:$a: NanoCore 0x5a9c:$a: NanoCore 0xe99f:$a: NanoCore 0xe9c8:$a: NanoCore 0x1a741:$a: NanoCore 0x1a76a:$a: NanoCore 0x3f62d:$a: NanoCore 0x3f645:$a: NanoCore 0x3f66e:$a: NanoCore 0x4ea71:$a: NanoCore
3.2.Jens Frodesen CV.exe.3f815e7.13.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x39eb:$a1: NanoCore.ClientPluginHost 0xe9c8:$a1: NanoCore.ClientPluginHost 0x1a76a:$a1: NanoCore.ClientPluginHost 0x3f66e:$a1: NanoCore.ClientPluginHost 0x4eaae:$a1: NanoCore.ClientPluginHost 0x3a8b:$a2: NanoCore.ClientPlugin 0xe99f:$a2: NanoCore.ClientPlugin 0x1a741:$a2: NanoCore.ClientPlugin 0x3f645:$a2: NanoCore.ClientPlugin 0x4ea89:$a2: NanoCore.ClientPlugin 0x4ea9f:$b4: IClientAppHost 0x47e1:$b7: LogClientException 0x1cab3:$b7: LogClientException 0x44699:$b7: LogClientException 0x52f8e:$b7: LogClientException 0x3a05:$b9: IClientLoggingHost 0xe9b5:$b9: IClientLoggingHost 0x1a757:$b9: IClientLoggingHost 0x3f65b:$b9: IClientLoggingHost 0x4ead8:$b9: IClientLoggingHost
3.0.Jens Frodesen CV.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.0.Jens Frodesen CV.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
3.0.Jens Frodesen CV.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.0.Jens Frodesen CV.exe.400000.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
3.0.Jens Frodesen CV.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
3.0.Jens Frodesen CV.exe.400000.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.2e354cc.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0xf2f6:$x1: NanoCore.ClientPluginHost 0x195d3:$x1: NanoCore.ClientPluginHost 0x1e3f3:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost 0xf333:$x2: IClientNetworkHost 0x195ed:$x2: IClientNetworkHost 0x1e40d:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.2e354cc.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0xf2f6:$x2: NanoCore.ClientPluginHost 0x195d3:$x2: NanoCore.ClientPluginHost 0x1e3f3:$x2: NanoCore.ClientPluginHost 0x199bf:$s3: PipeExists 0x1e7df:$s3: PipeExists 0x52b6:$s4: PipeCreated 0x12749:$s4: PipeCreated 0x19894:$s4: PipeCreated 0x1e6b4:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost 0xf320:$s5: IClientLoggingHost 0x1960e:$s5: IClientLoggingHost 0x1e42e:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.2e354cc.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x34e2:$x2: NanoCore.ClientPlugin 0xf2d1:$x2: NanoCore.ClientPlugin 0x19596:$x2: NanoCore.ClientPlugin 0x1e3b6:$x2: NanoCore.ClientPlugin 0x350b:$x3: NanoCore.ClientPluginHost 0xf2f6:$x3: NanoCore.ClientPluginHost 0x195d3:$x3: NanoCore.ClientPluginHost 0x1e3f3:$x3: NanoCore.ClientPluginHost 0x195b8:$i1: IClientApp 0x1e3d8:$i1: IClientApp 0x195ac:$i2: IClientData 0x1e3cc:$i2: IClientData 0x34d3:$i3: IClientNetwork 0xf2c2:$i3: IClientNetwork 0x19587:$i3: IClientNetwork 0x1e3a7:$i3: IClientNetwork 0xf2e7:$i4: IClientAppHost 0x19621:$i4: IClientAppHost 0x1e441:$i4: IClientAppHost 0xf310:$i5: IClientDataHost 0x195c3:$i5: IClientDataHost
3.2.Jens Frodesen CV.exe.2e354cc.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x34e2:$a: NanoCore 0x350b:$a: NanoCore 0xf2b9:$a: NanoCore 0xf2d1:$a: NanoCore 0xf2f6:$a: NanoCore 0x1953d:$a: NanoCore 0x19596:$a: NanoCore 0x195d3:$a: NanoCore 0x1964c:$a: NanoCore 0x1e35d:$a: NanoCore 0x1e3b6:$a: NanoCore 0x1e3f3:$a: NanoCore 0x1e46c:$a: NanoCore 0x3309:$b: ClientPlugin 0x331e:$b: ClientPlugin 0x334e:$b: ClientPlugin 0x34eb:$b: ClientPlugin 0x3514:$b: ClientPlugin 0xf036:$b: ClientPlugin 0xf048:$b: ClientPlugin 0xf078:$b: ClientPlugin
3.2.Jens Frodesen CV.exe.2e354cc.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x350b:$a1: NanoCore.ClientPluginHost 0xf2f6:$a1: NanoCore.ClientPluginHost 0x195d3:$a1: NanoCore.ClientPluginHost 0x1e3f3:$a1: NanoCore.ClientPluginHost 0x34e2:$a2: NanoCore.ClientPlugin 0xf2d1:$a2: NanoCore.ClientPlugin 0x19596:$a2: NanoCore.ClientPlugin 0x1e3b6:$a2: NanoCore.ClientPlugin 0x1996a:$b1: get_BuilderSettings 0x1e78a:$b1: get_BuilderSettings 0xf2e7:$b4: IClientAppHost 0x19621:$b4: IClientAppHost 0x1e441:$b4: IClientAppHost 0x199db:$b6: AddHostEntry 0x1e7fb:$b6: AddHostEntry 0x5854:$b7: LogClientException 0x137d6:$b7: LogClientException 0x19a4a:$b7: LogClientException 0x1e86a:$b7: LogClientException 0x199bf:$b8: PipeExists 0x1e7df:$b8: PipeExists
0.2.Jens Frodesen CV.exe.4009ec0.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xbb59d:$x1: NanoCore.ClientPluginHost 0xbb5da:$x2: IClientNetworkHost 0xbf10d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Jens Frodesen CV.exe.4009ec0.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Jens Frodesen CV.exe.4009ec0.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xbb305:$x1: NanoCore Client 0xbb315:$x1: NanoCore Client 0xbb55d:$x2: NanoCore.ClientPlugin 0xbb59d:$x3: NanoCore.ClientPluginHost 0xbb552:$i1: IClientApp 0xbb573:$i2: IClientData 0xbb57f:$i3: IClientNetwork 0xbb58e:$i4: IClientAppHost 0xbb5b7:$i5: IClientDataHost 0xbb5c7:$i6: IClientLoggingHost 0xbb5da:$i7: IClientNetworkHost 0xbb5ed:$i8: IClientUIHost 0xbb5fb:$i9: IClientNameObjectCollection 0xbb617:$i10: IClientReadOnlyNameObjectCollection 0xbb364:$s1: ClientPlugin 0xbb566:$s1: ClientPlugin 0xbba5a:$s2: EndPoint 0xbba63:$s3: IPAddress 0xbba6d:$s4: IPEndPoint 0xbd4a3:$s6: get_ClientSettings 0xbda47:$s7: get_Connected
0.2.Jens Frodesen CV.exe.4009ec0.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xbb305:$a: NanoCore 0xbb315:$a: NanoCore 0xbb549:$a: NanoCore 0xbb55d:$a: NanoCore 0xbb59d:$a: NanoCore 0xbb364:$b: ClientPlugin 0xbb566:$b: ClientPlugin 0xbb5a6:$b: ClientPlugin 0xbb48b:$c: ProjectData 0x19feca:$c: ProjectData 0xbbe92:$d: DESCrypto 0xc385e:$e: KeepAlive 0xc184c:$g: LogClientMessage 0xbda47:$i: get_Connected 0xbc1c8:$j: #=q 0xbc1f8:$j: #=q 0xbc214:$j: #=q 0xbc244:$j: #=q 0xbc260:$j: #=q 0xbc27c:$j: #=q 0xbc2ac:$j: #=q
0.2.Jens Frodesen CV.exe.4009ec0.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xbb59d:$a1: NanoCore.ClientPluginHost 0xbb55d:$a2: NanoCore.ClientPlugin 0xbd4b6:$b1: get_BuilderSettings 0xbb3b9:$b2: ClientLoaderForm.resources 0xbcbd6:$b3: PluginCommand 0xbb58e:$b4: IClientAppHost 0xc5a0e:$b5: GetBlockHash 0xbdb0e:$b6: AddHostEntry 0xc1801:$b7: LogClientException 0xbda7b:$b8: PipeExists 0xbb5c7:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.70c4c9f.33.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.70c4c9f.33.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a53c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.70c4c9f.33.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1a513:$x2: NanoCore.ClientPlugin 0x1a53c:$x3: NanoCore.ClientPluginHost 0x1a504:$i3: IClientNetwork 0x1a529:$i6: IClientLoggingHost 0x1a556:$i7: IClientNetworkHost 0x1a569:$i8: IClientUIHost 0x1a273:$s1: ClientPlugin 0x1a51c:$s1: ClientPlugin
3.2.Jens Frodesen CV.exe.70c4c9f.33.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1a53c:$a1: NanoCore.ClientPluginHost 0x1a513:$a2: NanoCore.ClientPlugin 0x1f567:$b7: LogClientException 0x1a529:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.7060000.28.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
3.2.Jens Frodesen CV.exe.7060000.28.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.7060000.28.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x13f2:$x2: NanoCore.ClientPlugin 0x13a8:$x3: NanoCore.ClientPluginHost 0x1408:$i3: IClientNetwork 0x13c2:$i6: IClientLoggingHost 0x1185:$s1: ClientPlugin 0x13fb:$s1: ClientPlugin
3.2.Jens Frodesen CV.exe.7060000.28.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x13a8:$a1: NanoCore.ClientPluginHost 0x13f2:$a2: NanoCore.ClientPlugin 0x13c2:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.7090000.31.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.7090000.31.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.7090000.31.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b70:$x2: NanoCore.ClientPlugin 0x5b99:$x3: NanoCore.ClientPluginHost 0x5b61:$i3: IClientNetwork 0x5b86:$i6: IClientLoggingHost 0x5bb3:$i7: IClientNetworkHost 0x59d4:$s1: ClientPlugin 0x5b79:$s1: ClientPlugin 0x5e84:$s2: EndPoint 0x5e8d:$s3: IPAddress 0x5e97:$s4: IPEndPoint
3.2.Jens Frodesen CV.exe.7090000.31.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b99:$a1: NanoCore.ClientPluginHost 0x5b70:$a2: NanoCore.ClientPlugin 0x5b86:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.3d8e3c9.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.3d8e3c9.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
3.2.Jens Frodesen CV.exe.3d8e3c9.9.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2d96:$x2: NanoCore.ClientPlugin 0x2dbb:$x3: NanoCore.ClientPluginHost 0x2d87:$i3: IClientNetwork 0x2dac:$i4: IClientAppHost 0x2dd5:$i5: IClientDataHost 0x2de5:$i7: IClientNetworkHost 0x2df8:$i9: IClientNameObjectCollection 0x2e1d:$i10: IClientReadOnlyNameObjectCollection 0x2bce:$s1: ClientPlugin 0x2d9f:$s1: ClientPlugin
3.2.Jens Frodesen CV.exe.3d8e3c9.9.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2dbb:$a1: NanoCore.ClientPluginHost 0x2d96:$a2: NanoCore.ClientPlugin 0x6758:$b1: get_BuilderSettings 0x2dac:$b4: IClientAppHost
3.2.Jens Frodesen CV.exe.7080000.30.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.7080000.30.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.7080000.30.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1e8b:$x2: NanoCore.ClientPlugin 0x1deb:$x3: NanoCore.ClientPluginHost 0x1ea1:$i3: IClientNetwork 0x1e43:$i5: IClientDataHost 0x1e05:$i6: IClientLoggingHost 0x1e24:$i7: IClientNetworkHost 0x266c:$i9: IClientNameObjectCollection 0x1b41:$s1: ClientPlugin 0x1e94:$s1: ClientPlugin 0x2a80:$s2: EndPoint 0x2771:$s3: IPAddress 0x2083:$s4: IPEndPoint 0x27a3:$s7: get_Connected
3.2.Jens Frodesen CV.exe.7080000.30.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1deb:$a1: NanoCore.ClientPluginHost 0x1e8b:$a2: NanoCore.ClientPlugin 0x2be1:$b7: LogClientException 0x1e05:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.2e354cc.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.2e354cc.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.2e354cc.4.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x16e2:$x2: NanoCore.ClientPlugin 0x170b:$x3: NanoCore.ClientPluginHost 0x16d3:$i3: IClientNetwork 0x16f8:$i6: IClientLoggingHost 0x1725:$i7: IClientNetworkHost 0x154e:$s1: ClientPlugin 0x16eb:$s1: ClientPlugin
3.2.Jens Frodesen CV.exe.2e354cc.4.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x170b:$a1: NanoCore.ClientPluginHost 0x16e2:$a2: NanoCore.ClientPlugin 0x3a54:$b7: LogClientException 0x16f8:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.6150000.26.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.6150000.26.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.6150000.26.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.Jens Frodesen CV.exe.6150000.26.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
3.2.Jens Frodesen CV.exe.6150000.26.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.7090000.31.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.7090000.31.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3d99:$x2: NanoCore.ClientPluginHost 0x4dce:$s4: PipeCreated 0x3d86:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.7090000.31.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3d70:$x2: NanoCore.ClientPlugin 0x3d99:$x3: NanoCore.ClientPluginHost 0x3d61:$i3: IClientNetwork 0x3d86:$i6: IClientLoggingHost 0x3db3:$i7: IClientNetworkHost 0x3bd4:$s1: ClientPlugin 0x3d79:$s1: ClientPlugin 0x4084:$s2: EndPoint 0x408d:$s3: IPAddress 0x4097:$s4: IPEndPoint
3.2.Jens Frodesen CV.exe.7090000.31.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3d99:$a1: NanoCore.ClientPluginHost 0x3d70:$a2: NanoCore.ClientPlugin 0x3d86:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.3eafd3a.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2221d:$x1: NanoCore.ClientPluginHost 0x32439:$x1: NanoCore.ClientPluginHost 0x3f5a2:$x1: NanoCore.ClientPluginHost 0x45af0:$x1: NanoCore.ClientPluginHost 0x4bac1:$x1: NanoCore.ClientPluginHost 0x5552d:$x1: NanoCore.ClientPluginHost 0x5f958:$x1: NanoCore.ClientPluginHost 0x6a935:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x22247:$x2: IClientNetworkHost 0x32466:$x2: IClientNetworkHost 0x3f5db:$x2: IClientNetworkHost 0x45b29:$x2: IClientNetworkHost 0x5568a:$x2: IClientNetworkHost 0x5f991:$x2: IClientNetworkHost 0x6a94f:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.3eafd3a.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2221d:$x2: NanoCore.ClientPluginHost 0x32439:$x2: NanoCore.ClientPluginHost 0x3f5a2:$x2: NanoCore.ClientPluginHost 0x45af0:$x2: NanoCore.ClientPluginHost 0x4bac1:$x2: NanoCore.ClientPluginHost 0x5552d:$x2: NanoCore.ClientPluginHost 0x5f958:$x2: NanoCore.ClientPluginHost 0x6a935:$x2: NanoCore.ClientPluginHost 0x33408:$s2: FileCommand 0x1261:$s3: PipeExists 0x56483:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x240cd:$s4: PipeCreated 0x37e0a:$s4: PipeCreated 0x3f6bf:$s4: PipeCreated 0x45c0b:$s4: PipeCreated 0x4bb9f:$s4: PipeCreated 0x55723:$s4: PipeCreated
3.2.Jens Frodesen CV.exe.3eafd3a.10.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.Jens Frodesen CV.exe.3eafd3a.10.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x145ae:$x2: NanoCore.ClientPlugin 0x221f8:$x2: NanoCore.ClientPlugin 0x32413:$x2: NanoCore.ClientPlugin 0x3f61e:$x2: NanoCore.ClientPlugin 0x45b6a:$x2: NanoCore.ClientPlugin 0x4bb0b:$x2: NanoCore.ClientPlugin 0x55617:$x2: NanoCore.ClientPlugin 0x5f9f8:$x2: NanoCore.ClientPlugin 0x6a90c:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x145e3:$x3: NanoCore.ClientPluginHost 0x2221d:$x3: NanoCore.ClientPluginHost 0x32439:$x3: NanoCore.ClientPluginHost 0x3f5a2:$x3: NanoCore.ClientPluginHost 0x45af0:$x3: NanoCore.ClientPluginHost 0x4bac1:$x3: NanoCore.ClientPluginHost 0x5552d:$x3: NanoCore.ClientPluginHost 0x5f958:$x3: NanoCore.ClientPluginHost 0x6a935:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp
3.2.Jens Frodesen CV.exe.3eafd3a.10.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x221f8:$a: NanoCore 0x2221d:$a: NanoCore 0x22276:$a: NanoCore 0x32413:$a: NanoCore 0x32439:$a: NanoCore 0x32495:$a: NanoCore 0x3f2ea:$a: NanoCore 0x3f343:$a: NanoCore 0x3f376:$a: NanoCore 0x3f5a2:$a: NanoCore 0x3f61e:$a: NanoCore 0x3fc37:$a: NanoCore 0x3fd80:$a: NanoCore 0x40254:$a: NanoCore
3.2.Jens Frodesen CV.exe.3eafd3a.10.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0x145e3:$a1: NanoCore.ClientPluginHost 0x2221d:$a1: NanoCore.ClientPluginHost 0x32439:$a1: NanoCore.ClientPluginHost 0x3f5a2:$a1: NanoCore.ClientPluginHost 0x45af0:$a1: NanoCore.ClientPluginHost 0x4bac1:$a1: NanoCore.ClientPluginHost 0x5552d:$a1: NanoCore.ClientPluginHost 0x5f958:$a1: NanoCore.ClientPluginHost 0x6a935:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x145ae:$a2: NanoCore.ClientPlugin 0x221f8:$a2: NanoCore.ClientPlugin 0x32413:$a2: NanoCore.ClientPlugin 0x3f61e:$a2: NanoCore.ClientPlugin 0x45b6a:$a2: NanoCore.ClientPlugin 0x4bb0b:$a2: NanoCore.ClientPlugin 0x55617:$a2: NanoCore.ClientPlugin 0x5f9f8:$a2: NanoCore.ClientPlugin 0x6a90c:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings
3.2.Jens Frodesen CV.exe.7070000.29.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3deb:$x1: NanoCore.ClientPluginHost 0x3f48:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.7070000.29.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3deb:$x2: NanoCore.ClientPluginHost 0x4d41:$s3: PipeExists 0x3fe1:$s4: PipeCreated 0x3e05:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.7070000.29.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3ed5:$x2: NanoCore.ClientPlugin 0x3deb:$x3: NanoCore.ClientPluginHost 0x3eeb:$i3: IClientNetwork 0x3e24:$i5: IClientDataHost 0x3e05:$i6: IClientLoggingHost 0x3f48:$i7: IClientNetworkHost 0x3e43:$i8: IClientUIHost 0x4d55:$i9: IClientNameObjectCollection 0x38fc:$s1: ClientPlugin 0x3ede:$s1: ClientPlugin 0x4d71:$s6: get_ClientSettings
3.2.Jens Frodesen CV.exe.7070000.29.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3deb:$a1: NanoCore.ClientPluginHost 0x3ed5:$a2: NanoCore.ClientPlugin 0x572e:$b7: LogClientException 0x4d41:$b8: PipeExists 0x3e05:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.3eb9199.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x18dbe:$x1: NanoCore.ClientPluginHost 0x28fda:$x1: NanoCore.ClientPluginHost 0x36143:$x1: NanoCore.ClientPluginHost 0x3c691:$x1: NanoCore.ClientPluginHost 0x42662:$x1: NanoCore.ClientPluginHost 0x4c0ce:$x1: NanoCore.ClientPluginHost 0x564f9:$x1: NanoCore.ClientPluginHost 0x614d6:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x18de8:$x2: IClientNetworkHost 0x29007:$x2: IClientNetworkHost 0x3617c:$x2: IClientNetworkHost 0x3c6ca:$x2: IClientNetworkHost 0x4c22b:$x2: IClientNetworkHost 0x56532:$x2: IClientNetworkHost 0x614f0:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.3eb9199.11.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x18dbe:$x2: NanoCore.ClientPluginHost 0x28fda:$x2: NanoCore.ClientPluginHost 0x36143:$x2: NanoCore.ClientPluginHost 0x3c691:$x2: NanoCore.ClientPluginHost 0x42662:$x2: NanoCore.ClientPluginHost 0x4c0ce:$x2: NanoCore.ClientPluginHost 0x564f9:$x2: NanoCore.ClientPluginHost 0x614d6:$x2: NanoCore.ClientPluginHost 0x29fa9:$s2: FileCommand 0x4d024:$s3: PipeExists 0xc25f:$s4: PipeCreated 0x1ac6e:$s4: PipeCreated 0x2e9ab:$s4: PipeCreated 0x36260:$s4: PipeCreated 0x3c7ac:$s4: PipeCreated 0x42740:$s4: PipeCreated 0x4c2c4:$s4: PipeCreated 0x56644:$s4: PipeCreated 0x6250b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.3eb9199.11.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.Jens Frodesen CV.exe.3eb9199.11.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0x18d99:$x2: NanoCore.ClientPlugin 0x28fb4:$x2: NanoCore.ClientPlugin 0x361bf:$x2: NanoCore.ClientPlugin 0x3c70b:$x2: NanoCore.ClientPlugin 0x426ac:$x2: NanoCore.ClientPlugin 0x4c1b8:$x2: NanoCore.ClientPlugin 0x56599:$x2: NanoCore.ClientPlugin 0x614ad:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0x18dbe:$x3: NanoCore.ClientPluginHost 0x28fda:$x3: NanoCore.ClientPluginHost 0x36143:$x3: NanoCore.ClientPluginHost 0x3c691:$x3: NanoCore.ClientPluginHost 0x42662:$x3: NanoCore.ClientPluginHost 0x4c0ce:$x3: NanoCore.ClientPluginHost 0x564f9:$x3: NanoCore.ClientPluginHost 0x614d6:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0xb165:$i3: IClientNetwork 0x18d8a:$i3: IClientNetwork
3.2.Jens Frodesen CV.exe.3eb9199.11.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb13a:$a: NanoCore 0xb14f:$a: NanoCore 0xb184:$a: NanoCore 0x18d99:$a: NanoCore 0x18dbe:$a: NanoCore 0x18e17:$a: NanoCore 0x28fb4:$a: NanoCore 0x28fda:$a: NanoCore 0x29036:$a: NanoCore 0x35e8b:$a: NanoCore 0x35ee4:$a: NanoCore 0x35f17:$a: NanoCore 0x36143:$a: NanoCore 0x361bf:$a: NanoCore 0x367d8:$a: NanoCore 0x36921:$a: NanoCore 0x36df5:$a: NanoCore 0x370dc:$a: NanoCore 0x370f3:$a: NanoCore 0x3c691:$a: NanoCore 0x3c70b:$a: NanoCore
3.2.Jens Frodesen CV.exe.3eb9199.11.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0x18dbe:$a1: NanoCore.ClientPluginHost 0x28fda:$a1: NanoCore.ClientPluginHost 0x36143:$a1: NanoCore.ClientPluginHost 0x3c691:$a1: NanoCore.ClientPluginHost 0x42662:$a1: NanoCore.ClientPluginHost 0x4c0ce:$a1: NanoCore.ClientPluginHost 0x564f9:$a1: NanoCore.ClientPluginHost 0x614d6:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x18d99:$a2: NanoCore.ClientPlugin 0x28fb4:$a2: NanoCore.ClientPlugin 0x361bf:$a2: NanoCore.ClientPlugin 0x3c70b:$a2: NanoCore.ClientPlugin 0x426ac:$a2: NanoCore.ClientPlugin 0x4c1b8:$a2: NanoCore.ClientPlugin 0x56599:$a2: NanoCore.ClientPlugin 0x614ad:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x1c75b:$b1: get_BuilderSettings 0x18daf:$b4: IClientAppHost
3.2.Jens Frodesen CV.exe.2c22150.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.2c22150.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.2c22150.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x6d7f:$x2: NanoCore.ClientPlugin 0x6da5:$x3: NanoCore.ClientPluginHost 0x6d70:$i3: IClientNetwork 0x6d95:$i5: IClientDataHost 0x6dbf:$i6: IClientLoggingHost 0x6dd2:$i7: IClientNetworkHost 0x6de5:$i9: IClientNameObjectCollection 0x6b02:$s1: ClientPlugin 0x6d88:$s1: ClientPlugin
3.2.Jens Frodesen CV.exe.2c22150.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6da5:$a1: NanoCore.ClientPluginHost 0x6d7f:$a2: NanoCore.ClientPlugin 0x6dbf:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.3f98846.15.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x2840f:$x1: NanoCore.ClientPluginHost 0x3784f:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost 0x28429:$x2: IClientNetworkHost 0x3788c:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.3f98846.15.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x2840f:$x2: NanoCore.ClientPluginHost 0x3784f:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x2b74c:$s4: PipeCreated 0x3aca2:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost 0x283fc:$s5: IClientLoggingHost 0x37879:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.3f98846.15.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x34e2:$x2: NanoCore.ClientPlugin 0x283e6:$x2: NanoCore.ClientPlugin 0x3782a:$x2: NanoCore.ClientPlugin 0x350b:$x3: NanoCore.ClientPluginHost 0x2840f:$x3: NanoCore.ClientPluginHost 0x3784f:$x3: NanoCore.ClientPluginHost 0x34d3:$i3: IClientNetwork 0x283d7:$i3: IClientNetwork 0x3781b:$i3: IClientNetwork 0x37840:$i4: IClientAppHost 0x37869:$i5: IClientDataHost 0x34f8:$i6: IClientLoggingHost 0x283fc:$i6: IClientLoggingHost 0x37879:$i6: IClientLoggingHost 0x3525:$i7: IClientNetworkHost 0x28429:$i7: IClientNetworkHost 0x3788c:$i7: IClientNetworkHost 0x2843c:$i8: IClientUIHost 0x3789f:$i8: IClientUIHost 0x378ad:$i9: IClientNameObjectCollection 0x334e:$s1: ClientPlugin
3.2.Jens Frodesen CV.exe.3f98846.15.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x350b:$a1: NanoCore.ClientPluginHost 0x2840f:$a1: NanoCore.ClientPluginHost 0x3784f:$a1: NanoCore.ClientPluginHost 0x34e2:$a2: NanoCore.ClientPlugin 0x283e6:$a2: NanoCore.ClientPlugin 0x3782a:$a2: NanoCore.ClientPlugin 0x37840:$b4: IClientAppHost 0x5854:$b7: LogClientException 0x2d43a:$b7: LogClientException 0x3bd2f:$b7: LogClientException 0x34f8:$b9: IClientLoggingHost 0x283fc:$b9: IClientLoggingHost 0x37879:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.5d60000.20.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.5d60000.20.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
3.2.Jens Frodesen CV.exe.5d60000.20.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2d96:$x2: NanoCore.ClientPlugin 0x2dbb:$x3: NanoCore.ClientPluginHost 0x2d87:$i3: IClientNetwork 0x2dac:$i4: IClientAppHost 0x2dd5:$i5: IClientDataHost 0x2de5:$i7: IClientNetworkHost 0x2df8:$i9: IClientNameObjectCollection 0x2e1d:$i10: IClientReadOnlyNameObjectCollection 0x2bce:$s1: ClientPlugin 0x2d9f:$s1: ClientPlugin
3.2.Jens Frodesen CV.exe.5d60000.20.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2dbb:$a1: NanoCore.ClientPluginHost 0x2d96:$a2: NanoCore.ClientPlugin 0x6758:$b1: get_BuilderSettings 0x2dac:$b4: IClientAppHost
0.2.Jens Frodesen CV.exe.4246338.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Jens Frodesen CV.exe.4246338.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.Jens Frodesen CV.exe.4246338.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Jens Frodesen CV.exe.4246338.2.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.Jens Frodesen CV.exe.4246338.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.Jens Frodesen CV.exe.4246338.2.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
29.2.Jens Frodesen CV.exe.316962c.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
29.2.Jens Frodesen CV.exe.316962c.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
29.2.Jens Frodesen CV.exe.316962c.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
29.2.Jens Frodesen CV.exe.316962c.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.5dd0000.24.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x605:$x1: NanoCore.ClientPluginHost 0x63e:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.5dd0000.24.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x605:$x2: NanoCore.ClientPluginHost 0x720:$s4: PipeCreated 0x61f:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.5dd0000.24.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x67f:$x2: NanoCore.ClientPlugin 0x605:$x3: NanoCore.ClientPluginHost 0x695:$i3: IClientNetwork 0x61f:$i6: IClientLoggingHost 0x63e:$i7: IClientNetworkHost 0x688:$s1: ClientPlugin
3.2.Jens Frodesen CV.exe.5dd0000.24.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x605:$a1: NanoCore.ClientPluginHost 0x67f:$a2: NanoCore.ClientPlugin 0xda0:$b7: LogClientException 0x61f:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.2e4dc2a.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3895:$x1: NanoCore.ClientPluginHost 0x38af:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.2e4dc2a.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3895:$x2: NanoCore.ClientPluginHost 0x3c81:$s3: PipeExists 0x3b56:$s4: PipeCreated 0x38d0:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.2e4dc2a.5.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3858:$x2: NanoCore.ClientPlugin 0x3895:$x3: NanoCore.ClientPluginHost 0x387a:$i1: IClientApp 0x386e:$i2: IClientData 0x3849:$i3: IClientNetwork 0x38e3:$i4: IClientAppHost 0x3885:$i5: IClientDataHost 0x38d0:$i6: IClientLoggingHost 0x38af:$i7: IClientNetworkHost 0x38c2:$i8: IClientUIHost 0x38f2:$i9: IClientNameObjectCollection 0x3917:$i10: IClientReadOnlyNameObjectCollection 0x3861:$s1: ClientPlugin 0x419c:$s1: ClientPlugin 0x41a9:$s1: ClientPlugin 0x3c19:$s6: get_ClientSettings 0x3c69:$s7: get_Connected
3.2.Jens Frodesen CV.exe.2e4dc2a.5.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3895:$a1: NanoCore.ClientPluginHost 0x3858:$a2: NanoCore.ClientPlugin 0x3c2c:$b1: get_BuilderSettings 0x38e3:$b4: IClientAppHost 0x3c9d:$b6: AddHostEntry 0x3d0c:$b7: LogClientException 0x3c81:$b8: PipeExists 0x38d0:$b9: IClientLoggingHost
28.2.dhcpmon.exe.33f9660.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
28.2.dhcpmon.exe.33f9660.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
28.2.dhcpmon.exe.33f9660.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
28.2.dhcpmon.exe.33f9660.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.2c15ed4.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.2c15ed4.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
3.2.Jens Frodesen CV.exe.2c15ed4.2.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2d96:$x2: NanoCore.ClientPlugin 0x2dbb:$x3: NanoCore.ClientPluginHost 0x2d87:$i3: IClientNetwork 0x2dac:$i4: IClientAppHost 0x2dd5:$i5: IClientDataHost 0x2de5:$i7: IClientNetworkHost 0x2df8:$i9: IClientNameObjectCollection 0x2e1d:$i10: IClientReadOnlyNameObjectCollection 0x2bce:$s1: ClientPlugin 0x2d9f:$s1: ClientPlugin
3.2.Jens Frodesen CV.exe.2c15ed4.2.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2dbb:$a1: NanoCore.ClientPluginHost 0x2d96:$a2: NanoCore.ClientPlugin 0x6758:$b1: get_BuilderSettings 0x2dac:$b4: IClientAppHost
3.2.Jens Frodesen CV.exe.3f8a416.14.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x1193b:$x1: NanoCore.ClientPluginHost 0x3683f:$x1: NanoCore.ClientPluginHost 0x45c7f:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost 0x11955:$x2: IClientNetworkHost 0x36859:$x2: IClientNetworkHost 0x45cbc:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.3f8a416.14.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x1193b:$x2: NanoCore.ClientPluginHost 0x3683f:$x2: NanoCore.ClientPluginHost 0x45c7f:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x136e6:$s4: PipeCreated 0x39b7c:$s4: PipeCreated 0x490d2:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost 0x11928:$s5: IClientLoggingHost 0x3682c:$s5: IClientLoggingHost 0x45ca9:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.3f8a416.14.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b70:$x2: NanoCore.ClientPlugin 0x11912:$x2: NanoCore.ClientPlugin 0x36816:$x2: NanoCore.ClientPlugin 0x45c5a:$x2: NanoCore.ClientPlugin 0x5b99:$x3: NanoCore.ClientPluginHost 0x1193b:$x3: NanoCore.ClientPluginHost 0x3683f:$x3: NanoCore.ClientPluginHost 0x45c7f:$x3: NanoCore.ClientPluginHost 0x5b61:$i3: IClientNetwork 0x11903:$i3: IClientNetwork 0x36807:$i3: IClientNetwork 0x45c4b:$i3: IClientNetwork 0x45c70:$i4: IClientAppHost 0x45c99:$i5: IClientDataHost 0x5b86:$i6: IClientLoggingHost 0x11928:$i6: IClientLoggingHost 0x3682c:$i6: IClientLoggingHost 0x45ca9:$i6: IClientLoggingHost 0x5bb3:$i7: IClientNetworkHost 0x11955:$i7: IClientNetworkHost 0x36859:$i7: IClientNetworkHost
3.2.Jens Frodesen CV.exe.3f8a416.14.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b99:$a1: NanoCore.ClientPluginHost 0x1193b:$a1: NanoCore.ClientPluginHost 0x3683f:$a1: NanoCore.ClientPluginHost 0x45c7f:$a1: NanoCore.ClientPluginHost 0x5b70:$a2: NanoCore.ClientPlugin 0x11912:$a2: NanoCore.ClientPlugin 0x36816:$a2: NanoCore.ClientPlugin 0x45c5a:$a2: NanoCore.ClientPlugin 0x45c70:$b4: IClientAppHost 0x13c84:$b7: LogClientException 0x3b86a:$b7: LogClientException 0x4a15f:$b7: LogClientException 0x5b86:$b9: IClientLoggingHost 0x11928:$b9: IClientLoggingHost 0x3682c:$b9: IClientLoggingHost 0x45ca9:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.70c0000.35.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.70c0000.35.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.70c0000.35.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1d3b2:$x2: NanoCore.ClientPlugin 0x1d3db:$x3: NanoCore.ClientPluginHost 0x1d3a3:$i3: IClientNetwork 0x1d3c8:$i6: IClientLoggingHost 0x1d3f5:$i7: IClientNetworkHost 0x1d408:$i8: IClientUIHost 0x1d112:$s1: ClientPlugin 0x1d3bb:$s1: ClientPlugin
3.2.Jens Frodesen CV.exe.70c0000.35.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1d3db:$a1: NanoCore.ClientPluginHost 0x1d3b2:$a2: NanoCore.ClientPlugin 0x22406:$b7: LogClientException 0x1d3c8:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.5d60000.20.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.5d60000.20.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
3.2.Jens Frodesen CV.exe.5d60000.20.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x4b87:$i3: IClientNetwork 0x4bac:$i4: IClientAppHost 0x4bd5:$i5: IClientDataHost 0x4be5:$i7: IClientNetworkHost 0x4bf8:$i9: IClientNameObjectCollection 0x4c1d:$i10: IClientReadOnlyNameObjectCollection 0x49ce:$s1: ClientPlugin 0x4b9f:$s1: ClientPlugin
3.2.Jens Frodesen CV.exe.5d60000.20.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x4b96:$a2: NanoCore.ClientPlugin 0x8558:$b1: get_BuilderSettings 0x4bac:$b4: IClientAppHost
3.2.Jens Frodesen CV.exe.2e3e7d4.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x102cb:$x1: NanoCore.ClientPluginHost 0x150eb:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost 0x102e5:$x2: IClientNetworkHost 0x15105:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.2e3e7d4.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x102cb:$x2: NanoCore.ClientPluginHost 0x150eb:$x2: NanoCore.ClientPluginHost 0x106b7:$s3: PipeExists 0x154d7:$s3: PipeExists 0x9441:$s4: PipeCreated 0x1058c:$s4: PipeCreated 0x153ac:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost 0x10306:$s5: IClientLoggingHost 0x15126:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.2e3e7d4.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5fc9:$x2: NanoCore.ClientPlugin 0x1028e:$x2: NanoCore.ClientPlugin 0x150ae:$x2: NanoCore.ClientPlugin 0x5fee:$x3: NanoCore.ClientPluginHost 0x102cb:$x3: NanoCore.ClientPluginHost 0x150eb:$x3: NanoCore.ClientPluginHost 0x102b0:$i1: IClientApp 0x150d0:$i1: IClientApp 0x102a4:$i2: IClientData 0x150c4:$i2: IClientData 0x5fba:$i3: IClientNetwork 0x1027f:$i3: IClientNetwork 0x1509f:$i3: IClientNetwork 0x5fdf:$i4: IClientAppHost 0x10319:$i4: IClientAppHost 0x15139:$i4: IClientAppHost 0x6008:$i5: IClientDataHost 0x102bb:$i5: IClientDataHost 0x150db:$i5: IClientDataHost 0x6018:$i6: IClientLoggingHost 0x10306:$i6: IClientLoggingHost
3.2.Jens Frodesen CV.exe.2e3e7d4.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x5fb1:$a: NanoCore 0x5fc9:$a: NanoCore 0x5fee:$a: NanoCore 0x10235:$a: NanoCore 0x1028e:$a: NanoCore 0x102cb:$a: NanoCore 0x10344:$a: NanoCore 0x15055:$a: NanoCore 0x150ae:$a: NanoCore 0x150eb:$a: NanoCore 0x15164:$a: NanoCore 0x5d2e:$b: ClientPlugin 0x5d40:$b: ClientPlugin 0x5d70:$b: ClientPlugin 0x5fd2:$b: ClientPlugin 0x5ff7:$b: ClientPlugin 0x10297:$b: ClientPlugin 0x102d4:$b: ClientPlugin 0x10bd2:$b: ClientPlugin 0x10bdf:$b: ClientPlugin 0x150b7:$b: ClientPlugin
3.2.Jens Frodesen CV.exe.2e3e7d4.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5fee:$a1: NanoCore.ClientPluginHost 0x102cb:$a1: NanoCore.ClientPluginHost 0x150eb:$a1: NanoCore.ClientPluginHost 0x5fc9:$a2: NanoCore.ClientPlugin 0x1028e:$a2: NanoCore.ClientPlugin 0x150ae:$a2: NanoCore.ClientPlugin 0x10662:$b1: get_BuilderSettings 0x15482:$b1: get_BuilderSettings 0x5fdf:$b4: IClientAppHost 0x10319:$b4: IClientAppHost 0x15139:$b4: IClientAppHost 0x106d3:$b6: AddHostEntry 0x154f3:$b6: AddHostEntry 0xa4ce:$b7: LogClientException 0x10742:$b7: LogClientException 0x15562:$b7: LogClientException 0x106b7:$b8: PipeExists 0x154d7:$b8: PipeExists 0x6018:$b9: IClientLoggingHost 0x10306:$b9: IClientLoggingHost 0x15126:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.7100000.36.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.7100000.36.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.7100000.36.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5fc9:$x2: NanoCore.ClientPlugin 0x5fee:$x3: NanoCore.ClientPluginHost 0x5fba:$i3: IClientNetwork 0x5fdf:$i4: IClientAppHost 0x6008:$i5: IClientDataHost 0x6018:$i6: IClientLoggingHost 0x602b:$i7: IClientNetworkHost 0x603e:$i8: IClientUIHost 0x604c:$i9: IClientNameObjectCollection 0x5d70:$s1: ClientPlugin 0x5fd2:$s1: ClientPlugin
3.2.Jens Frodesen CV.exe.7100000.36.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5fee:$a1: NanoCore.ClientPluginHost 0x5fc9:$a2: NanoCore.ClientPlugin 0x5fdf:$b4: IClientAppHost 0xa4ce:$b7: LogClientException 0x6018:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.70ce8a4.34.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.70ce8a4.34.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x10937:$x2: NanoCore.ClientPluginHost 0x13c74:$s4: PipeCreated 0x10924:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.70ce8a4.34.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1090e:$x2: NanoCore.ClientPlugin 0x10937:$x3: NanoCore.ClientPluginHost 0x108ff:$i3: IClientNetwork 0x10924:$i6: IClientLoggingHost 0x10951:$i7: IClientNetworkHost 0x10964:$i8: IClientUIHost 0x1066e:$s1: ClientPlugin 0x10917:$s1: ClientPlugin
3.2.Jens Frodesen CV.exe.70ce8a4.34.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x10937:$a1: NanoCore.ClientPluginHost 0x1090e:$a2: NanoCore.ClientPlugin 0x15962:$b7: LogClientException 0x10924:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.3f8a416.14.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0xcd3b:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost 0xcd55:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.3f8a416.14.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3d99:$x2: NanoCore.ClientPluginHost 0xcd3b:$x2: NanoCore.ClientPluginHost 0x4dce:$s4: PipeCreated 0x3d86:$s5: IClientLoggingHost 0xcd28:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.3f8a416.14.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3d70:$x2: NanoCore.ClientPlugin 0xcd12:$x2: NanoCore.ClientPlugin 0x3d99:$x3: NanoCore.ClientPluginHost 0xcd3b:$x3: NanoCore.ClientPluginHost 0x3d61:$i3: IClientNetwork 0xcd03:$i3: IClientNetwork 0x3d86:$i6: IClientLoggingHost 0xcd28:$i6: IClientLoggingHost 0x3db3:$i7: IClientNetworkHost 0xcd55:$i7: IClientNetworkHost 0x3bd4:$s1: ClientPlugin 0x3d79:$s1: ClientPlugin 0xcb7e:$s1: ClientPlugin 0xcd1b:$s1: ClientPlugin 0x4084:$s2: EndPoint 0x408d:$s3: IPAddress 0x4097:$s4: IPEndPoint
3.2.Jens Frodesen CV.exe.3f8a416.14.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3d99:$a1: NanoCore.ClientPluginHost 0xcd3b:$a1: NanoCore.ClientPluginHost 0x3d70:$a2: NanoCore.ClientPlugin 0xcd12:$a2: NanoCore.ClientPlugin 0x3d86:$b9: IClientLoggingHost 0xcd28:$b9: IClientLoggingHost
28.2.dhcpmon.exe.43db7d6.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
28.2.dhcpmon.exe.43db7d6.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
28.2.dhcpmon.exe.43db7d6.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
28.2.dhcpmon.exe.43db7d6.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.3f98846.15.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.3f98846.15.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.3f98846.15.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x16e2:$x2: NanoCore.ClientPlugin 0x170b:$x3: NanoCore.ClientPluginHost 0x16d3:$i3: IClientNetwork 0x16f8:$i6: IClientLoggingHost 0x1725:$i7: IClientNetworkHost 0x154e:$s1: ClientPlugin 0x16eb:$s1: ClientPlugin
3.2.Jens Frodesen CV.exe.3f98846.15.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x170b:$a1: NanoCore.ClientPluginHost 0x16e2:$a2: NanoCore.ClientPlugin 0x3a54:$b7: LogClientException 0x16f8:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.7100000.36.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x41ee:$x1: NanoCore.ClientPluginHost 0x422b:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.7100000.36.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x41ee:$x2: NanoCore.ClientPluginHost 0x7641:$s4: PipeCreated 0x4218:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.7100000.36.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x41c9:$x2: NanoCore.ClientPlugin 0x41ee:$x3: NanoCore.ClientPluginHost 0x41ba:$i3: IClientNetwork 0x41df:$i4: IClientAppHost 0x4208:$i5: IClientDataHost 0x4218:$i6: IClientLoggingHost 0x422b:$i7: IClientNetworkHost 0x423e:$i8: IClientUIHost 0x424c:$i9: IClientNameObjectCollection 0x3f70:$s1: ClientPlugin 0x41d2:$s1: ClientPlugin
3.2.Jens Frodesen CV.exe.7100000.36.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x41ee:$a1: NanoCore.ClientPluginHost 0x41c9:$a2: NanoCore.ClientPlugin 0x41df:$b4: IClientAppHost 0x86ce:$b7: LogClientException 0x4218:$b9: IClientLoggingHost
28.2.dhcpmon.exe.43f95f8.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
28.2.dhcpmon.exe.43f95f8.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xd9c7:$s5: IClientLoggingHost
28.2.dhcpmon.exe.43f95f8.2.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin
28.2.dhcpmon.exe.43f95f8.2.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0xd9c7:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.5400000.19.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.5400000.19.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.5400000.19.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
3.2.Jens Frodesen CV.exe.5400000.19.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.3d9a5fd.8.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x15d8c:$x2: NanoCore.ClientPlugin 0x1fbe0:$x2: NanoCore.ClientPlugin 0x27b06:$x2: NanoCore.ClientPlugin 0x2daa9:$x2: NanoCore.ClientPlugin 0x375b7:$x2: NanoCore.ClientPlugin 0x4199a:$x2: NanoCore.ClientPlugin 0x4c8b0:$x2: NanoCore.ClientPlugin 0x58654:$x2: NanoCore.ClientPlugin 0x7d55a:$x2: NanoCore.ClientPlugin 0x8c9a0:$x2: NanoCore.ClientPlugin 0xb3fa5:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x15d10:$x3: NanoCore.ClientPluginHost 0x1fb64:$x3: NanoCore.ClientPluginHost 0x27a8c:$x3: NanoCore.ClientPluginHost 0x2da5f:$x3: NanoCore.ClientPluginHost 0x374cd:$x3: NanoCore.ClientPluginHost 0x418fa:$x3: NanoCore.ClientPluginHost 0x4c8d9:$x3: NanoCore.ClientPluginHost 0x5867d:$x3: NanoCore.ClientPluginHost
3.2.Jens Frodesen CV.exe.3d9a5fd.8.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a58:$a: NanoCore 0x15ab1:$a: NanoCore 0x15ae4:$a: NanoCore 0x15d10:$a: NanoCore 0x15d8c:$a: NanoCore 0x163a5:$a: NanoCore 0x164ee:$a: NanoCore 0x169c2:$a: NanoCore 0x16ca9:$a: NanoCore 0x16cc0:$a: NanoCore 0x1fb64:$a: NanoCore 0x1fbe0:$a: NanoCore 0x224c3:$a: NanoCore 0x27a8c:$a: NanoCore 0x27b06:$a: NanoCore 0x2c6a3:$a: NanoCore 0x2da5f:$a: NanoCore 0x2daa9:$a: NanoCore
3.2.Jens Frodesen CV.exe.3d9a5fd.8.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x15d10:$a1: NanoCore.ClientPluginHost 0x1fb64:$a1: NanoCore.ClientPluginHost 0x27a8c:$a1: NanoCore.ClientPluginHost 0x2da5f:$a1: NanoCore.ClientPluginHost 0x374cd:$a1: NanoCore.ClientPluginHost 0x418fa:$a1: NanoCore.ClientPluginHost 0x4c8d9:$a1: NanoCore.ClientPluginHost 0x5867d:$a1: NanoCore.ClientPluginHost 0x7d583:$a1: NanoCore.ClientPluginHost 0x8c9c5:$a1: NanoCore.ClientPluginHost 0xb3fce:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x15d8c:$a2: NanoCore.ClientPlugin 0x1fbe0:$a2: NanoCore.ClientPlugin 0x27b06:$a2: NanoCore.ClientPlugin 0x2daa9:$a2: NanoCore.ClientPlugin 0x375b7:$a2: NanoCore.ClientPlugin 0x4199a:$a2: NanoCore.ClientPlugin 0x4c8b0:$a2: NanoCore.ClientPlugin 0x58654:$a2: NanoCore.ClientPlugin
3.2.Jens Frodesen CV.exe.3eb4b70.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.3eb4b70.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.3eb4b70.12.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.Jens Frodesen CV.exe.3eb4b70.12.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
3.2.Jens Frodesen CV.exe.3eb4b70.12.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.3eb4b70.12.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x1d3e7:$x1: NanoCore.ClientPluginHost 0x2d603:$x1: NanoCore.ClientPluginHost 0x3a76c:$x1: NanoCore.ClientPluginHost 0x40cba:$x1: NanoCore.ClientPluginHost 0x46c8b:$x1: NanoCore.ClientPluginHost 0x506f7:$x1: NanoCore.ClientPluginHost 0x5ab22:$x1: NanoCore.ClientPluginHost 0x65aff:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x1d411:$x2: IClientNetworkHost 0x2d630:$x2: IClientNetworkHost 0x3a7a5:$x2: IClientNetworkHost 0x40cf3:$x2: IClientNetworkHost 0x50854:$x2: IClientNetworkHost 0x5ab5b:$x2: IClientNetworkHost 0x65b19:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.3eb4b70.12.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x1d3e7:$x2: NanoCore.ClientPluginHost 0x2d603:$x2: NanoCore.ClientPluginHost 0x3a76c:$x2: NanoCore.ClientPluginHost 0x40cba:$x2: NanoCore.ClientPluginHost 0x46c8b:$x2: NanoCore.ClientPluginHost 0x506f7:$x2: NanoCore.ClientPluginHost 0x5ab22:$x2: NanoCore.ClientPluginHost 0x65aff:$x2: NanoCore.ClientPluginHost 0x2e5d2:$s2: FileCommand 0x5164d:$s3: PipeExists 0x10888:$s4: PipeCreated 0x1f297:$s4: PipeCreated 0x32fd4:$s4: PipeCreated 0x3a889:$s4: PipeCreated 0x40dd5:$s4: PipeCreated 0x46d69:$s4: PipeCreated 0x508ed:$s4: PipeCreated 0x5ac6d:$s4: PipeCreated 0x66b34:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.3eb4b70.12.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.Jens Frodesen CV.exe.3eb4b70.12.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0x1d3c2:$x2: NanoCore.ClientPlugin 0x2d5dd:$x2: NanoCore.ClientPlugin 0x3a7e8:$x2: NanoCore.ClientPlugin 0x40d34:$x2: NanoCore.ClientPlugin 0x46cd5:$x2: NanoCore.ClientPlugin 0x507e1:$x2: NanoCore.ClientPlugin 0x5abc2:$x2: NanoCore.ClientPlugin 0x65ad6:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0x1d3e7:$x3: NanoCore.ClientPluginHost 0x2d603:$x3: NanoCore.ClientPluginHost 0x3a76c:$x3: NanoCore.ClientPluginHost 0x40cba:$x3: NanoCore.ClientPluginHost 0x46c8b:$x3: NanoCore.ClientPluginHost 0x506f7:$x3: NanoCore.ClientPluginHost 0x5ab22:$x3: NanoCore.ClientPluginHost 0x65aff:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0x1d3b3:$i3: IClientNetwork
3.2.Jens Frodesen CV.exe.3eb4b70.12.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf763:$a: NanoCore 0xf778:$a: NanoCore 0xf7ad:$a: NanoCore 0x1d3c2:$a: NanoCore 0x1d3e7:$a: NanoCore 0x1d440:$a: NanoCore 0x2d5dd:$a: NanoCore 0x2d603:$a: NanoCore 0x2d65f:$a: NanoCore 0x3a4b4:$a: NanoCore 0x3a50d:$a: NanoCore 0x3a540:$a: NanoCore 0x3a76c:$a: NanoCore 0x3a7e8:$a: NanoCore 0x3ae01:$a: NanoCore 0x3af4a:$a: NanoCore 0x3b41e:$a: NanoCore 0x3b705:$a: NanoCore 0x3b71c:$a: NanoCore 0x40cba:$a: NanoCore 0x40d34:$a: NanoCore
3.2.Jens Frodesen CV.exe.3eb4b70.12.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0x1d3e7:$a1: NanoCore.ClientPluginHost 0x2d603:$a1: NanoCore.ClientPluginHost 0x3a76c:$a1: NanoCore.ClientPluginHost 0x40cba:$a1: NanoCore.ClientPluginHost 0x46c8b:$a1: NanoCore.ClientPluginHost 0x506f7:$a1: NanoCore.ClientPluginHost 0x5ab22:$a1: NanoCore.ClientPluginHost 0x65aff:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x1d3c2:$a2: NanoCore.ClientPlugin 0x2d5dd:$a2: NanoCore.ClientPlugin 0x3a7e8:$a2: NanoCore.ClientPlugin 0x40d34:$a2: NanoCore.ClientPlugin 0x46cd5:$a2: NanoCore.ClientPlugin 0x507e1:$a2: NanoCore.ClientPlugin 0x5abc2:$a2: NanoCore.ClientPlugin 0x65ad6:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x20d84:$b1: get_BuilderSettings 0x1d3d8:$b4: IClientAppHost
3.2.Jens Frodesen CV.exe.2e3e7d4.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x41ee:$x1: NanoCore.ClientPluginHost 0xb6cb:$x1: NanoCore.ClientPluginHost 0x422b:$x2: IClientNetworkHost 0xb6e5:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.2e3e7d4.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x41ee:$x2: NanoCore.ClientPluginHost 0xb6cb:$x2: NanoCore.ClientPluginHost 0xbab7:$s3: PipeExists 0x7641:$s4: PipeCreated 0xb98c:$s4: PipeCreated 0x4218:$s5: IClientLoggingHost 0xb706:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.2e3e7d4.3.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x41c9:$x2: NanoCore.ClientPlugin 0xb68e:$x2: NanoCore.ClientPlugin 0x41ee:$x3: NanoCore.ClientPluginHost 0xb6cb:$x3: NanoCore.ClientPluginHost 0xb6b0:$i1: IClientApp 0xb6a4:$i2: IClientData 0x41ba:$i3: IClientNetwork 0xb67f:$i3: IClientNetwork 0x41df:$i4: IClientAppHost 0xb719:$i4: IClientAppHost 0x4208:$i5: IClientDataHost 0xb6bb:$i5: IClientDataHost 0x4218:$i6: IClientLoggingHost 0xb706:$i6: IClientLoggingHost 0x422b:$i7: IClientNetworkHost 0xb6e5:$i7: IClientNetworkHost 0x423e:$i8: IClientUIHost 0xb6f8:$i8: IClientUIHost 0x424c:$i9: IClientNameObjectCollection 0xb728:$i9: IClientNameObjectCollection 0xb74d:$i10: IClientReadOnlyNameObjectCollection
3.2.Jens Frodesen CV.exe.2e3e7d4.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x41b1:$a: NanoCore 0x41c9:$a: NanoCore 0x41ee:$a: NanoCore 0xb635:$a: NanoCore 0xb68e:$a: NanoCore 0xb6cb:$a: NanoCore 0xb744:$a: NanoCore 0x3f2e:$b: ClientPlugin 0x3f40:$b: ClientPlugin 0x3f70:$b: ClientPlugin 0x41d2:$b: ClientPlugin 0x41f7:$b: ClientPlugin 0xb697:$b: ClientPlugin 0xb6d4:$b: ClientPlugin 0xbfd2:$b: ClientPlugin 0xbfdf:$b: ClientPlugin 0x40c0:$c: ProjectData 0xbb1f:$g: LogClientMessage 0xba9f:$i: get_Connected 0x3fe8:$j: #=q 0x49df:$j: #=q
3.2.Jens Frodesen CV.exe.2e3e7d4.3.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x41ee:$a1: NanoCore.ClientPluginHost 0xb6cb:$a1: NanoCore.ClientPluginHost 0x41c9:$a2: NanoCore.ClientPlugin 0xb68e:$a2: NanoCore.ClientPlugin 0xba62:$b1: get_BuilderSettings 0x41df:$b4: IClientAppHost 0xb719:$b4: IClientAppHost 0xbad3:$b6: AddHostEntry 0x86ce:$b7: LogClientException 0xbb42:$b7: LogClientException 0xbab7:$b8: PipeExists 0x4218:$b9: IClientLoggingHost 0xb706:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.6154629.25.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.6154629.25.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.6154629.25.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.Jens Frodesen CV.exe.6154629.25.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0xb165:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin 0xb158:$s1: ClientPlugin 0x10179:$s6: get_ClientSettings
3.2.Jens Frodesen CV.exe.6154629.25.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.5dc0000.23.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.5dc0000.23.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.5dc0000.23.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b87:$x2: NanoCore.ClientPlugin 0x5b0b:$x3: NanoCore.ClientPluginHost 0x5b9d:$i3: IClientNetwork 0x5b25:$i6: IClientLoggingHost 0x5b44:$i7: IClientNetworkHost 0x57fb:$s1: ClientPlugin 0x5b90:$s1: ClientPlugin 0x6cf4:$s3: IPAddress
3.2.Jens Frodesen CV.exe.5dc0000.23.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b0b:$a1: NanoCore.ClientPluginHost 0x5b87:$a2: NanoCore.ClientPlugin 0x6710:$b7: LogClientException 0x5b25:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.70b0000.32.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.70b0000.32.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.70b0000.32.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x34e2:$x2: NanoCore.ClientPlugin 0x350b:$x3: NanoCore.ClientPluginHost 0x34d3:$i3: IClientNetwork 0x34f8:$i6: IClientLoggingHost 0x3525:$i7: IClientNetworkHost 0x334e:$s1: ClientPlugin 0x34eb:$s1: ClientPlugin
3.2.Jens Frodesen CV.exe.70b0000.32.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x350b:$a1: NanoCore.ClientPluginHost 0x34e2:$a2: NanoCore.ClientPlugin 0x5854:$b7: LogClientException 0x34f8:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.2e4dc2a.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x5c95:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x5caf:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.2e4dc2a.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x5c95:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x6081:$s3: PipeExists 0x1136:$s4: PipeCreated 0x5f56:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x5cd0:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.2e4dc2a.5.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x5c58:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x5c95:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0x5c7a:$i1: IClientApp 0xe4e:$i2: IClientData 0x5c6e:$i2: IClientData 0xe29:$i3: IClientNetwork 0x5c49:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0x5ce3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0x5c85:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0x5cd0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0x5caf:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0x5cc2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection
3.2.Jens Frodesen CV.exe.2e4dc2a.5.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0x5c95:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x5c58:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0x602c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x5ce3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x609d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x610c:$b7: LogClientException 0x1261:$b8: PipeExists 0x6081:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost 0x5cd0:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.5db0000.22.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.5db0000.22.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.5db0000.22.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0x1775:$i3: IClientNetwork 0x16fd:$i6: IClientLoggingHost 0x171c:$i7: IClientNetworkHost 0x1491:$s1: ClientPlugin 0x1768:$s1: ClientPlugin
3.2.Jens Frodesen CV.exe.5db0000.22.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x16e3:$a1: NanoCore.ClientPluginHost 0x175f:$a2: NanoCore.ClientPlugin 0x16fd:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.5d70000.21.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.5d70000.21.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.5d70000.21.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x6d7f:$x2: NanoCore.ClientPlugin 0x6da5:$x3: NanoCore.ClientPluginHost 0x6d70:$i3: IClientNetwork 0x6d95:$i5: IClientDataHost 0x6dbf:$i6: IClientLoggingHost 0x6dd2:$i7: IClientNetworkHost 0x6de5:$i9: IClientNameObjectCollection 0x6b02:$s1: ClientPlugin 0x6d88:$s1: ClientPlugin
3.2.Jens Frodesen CV.exe.5d70000.21.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6da5:$a1: NanoCore.ClientPluginHost 0x6d7f:$a2: NanoCore.ClientPlugin 0x6dbf:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.6150000.26.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.6150000.26.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
3.2.Jens Frodesen CV.exe.6150000.26.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.Jens Frodesen CV.exe.6150000.26.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
3.2.Jens Frodesen CV.exe.6150000.26.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.3daec2a.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0xb537:$x1: NanoCore.ClientPluginHost 0x1345f:$x1: NanoCore.ClientPluginHost 0x19432:$x1: NanoCore.ClientPluginHost 0x22ea0:$x1: NanoCore.ClientPluginHost 0x2d2cd:$x1: NanoCore.ClientPluginHost 0x382ac:$x1: NanoCore.ClientPluginHost 0x44050:$x1: NanoCore.ClientPluginHost 0x68f56:$x1: NanoCore.ClientPluginHost 0x78398:$x1: NanoCore.ClientPluginHost 0x9f9a1:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost 0xb570:$x2: IClientNetworkHost 0x13498:$x2: IClientNetworkHost 0x22ffd:$x2: IClientNetworkHost 0x2d306:$x2: IClientNetworkHost 0x382c6:$x2: IClientNetworkHost 0x4406a:$x2: IClientNetworkHost 0x68f70:$x2: IClientNetworkHost 0x783d5:$x2: IClientNetworkHost 0x9f9bb:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.3daec2a.7.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0xb5b3:$x2: NanoCore.ClientPlugin 0x134d9:$x2: NanoCore.ClientPlugin 0x1947c:$x2: NanoCore.ClientPlugin 0x22f8a:$x2: NanoCore.ClientPlugin 0x2d36d:$x2: NanoCore.ClientPlugin 0x38283:$x2: NanoCore.ClientPlugin 0x44027:$x2: NanoCore.ClientPlugin 0x68f2d:$x2: NanoCore.ClientPlugin 0x78373:$x2: NanoCore.ClientPlugin 0x9f978:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0xb537:$x3: NanoCore.ClientPluginHost 0x1345f:$x3: NanoCore.ClientPluginHost 0x19432:$x3: NanoCore.ClientPluginHost 0x22ea0:$x3: NanoCore.ClientPluginHost 0x2d2cd:$x3: NanoCore.ClientPluginHost 0x382ac:$x3: NanoCore.ClientPluginHost 0x44050:$x3: NanoCore.ClientPluginHost 0x68f56:$x3: NanoCore.ClientPluginHost 0x78398:$x3: NanoCore.ClientPluginHost
3.2.Jens Frodesen CV.exe.3daec2a.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0xb537:$a: NanoCore 0xb5b3:$a: NanoCore 0xde96:$a: NanoCore 0x1345f:$a: NanoCore 0x134d9:$a: NanoCore 0x18076:$a: NanoCore 0x19432:$a: NanoCore 0x1947c:$a: NanoCore 0x1a0d6:$a: NanoCore 0x22ea0:$a: NanoCore 0x22f8a:$a: NanoCore
3.2.Jens Frodesen CV.exe.3daec2a.7.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x16e3:$a1: NanoCore.ClientPluginHost 0xb537:$a1: NanoCore.ClientPluginHost 0x1345f:$a1: NanoCore.ClientPluginHost 0x19432:$a1: NanoCore.ClientPluginHost 0x22ea0:$a1: NanoCore.ClientPluginHost 0x2d2cd:$a1: NanoCore.ClientPluginHost 0x382ac:$a1: NanoCore.ClientPluginHost 0x44050:$a1: NanoCore.ClientPluginHost 0x68f56:$a1: NanoCore.ClientPluginHost 0x78398:$a1: NanoCore.ClientPluginHost 0x9f9a1:$a1: NanoCore.ClientPluginHost 0x175f:$a2: NanoCore.ClientPlugin 0xb5b3:$a2: NanoCore.ClientPlugin 0x134d9:$a2: NanoCore.ClientPlugin 0x1947c:$a2: NanoCore.ClientPlugin 0x22f8a:$a2: NanoCore.ClientPlugin 0x2d36d:$a2: NanoCore.ClientPlugin 0x38283:$a2: NanoCore.ClientPlugin 0x44027:$a2: NanoCore.ClientPlugin 0x68f2d:$a2: NanoCore.ClientPlugin 0x78373:$a2: NanoCore.ClientPlugin
3.2.Jens Frodesen CV.exe.4015710.17.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x1d3e7:$x1: NanoCore.ClientPluginHost 0x2d603:$x1: NanoCore.ClientPluginHost 0x3a76c:$x1: NanoCore.ClientPluginHost 0x40cba:$x1: NanoCore.ClientPluginHost 0x46c8b:$x1: NanoCore.ClientPluginHost 0x506f7:$x1: NanoCore.ClientPluginHost 0x5ab22:$x1: NanoCore.ClientPluginHost 0x65aff:$x1: NanoCore.ClientPluginHost 0x718a1:$x1: NanoCore.ClientPluginHost 0x967a5:$x1: NanoCore.ClientPluginHost 0xa5be5:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x1d411:$x2: IClientNetworkHost 0x2d630:$x2: IClientNetworkHost 0x3a7a5:$x2: IClientNetworkHost 0x40cf3:$x2: IClientNetworkHost 0x50854:$x2: IClientNetworkHost 0x5ab5b:$x2: IClientNetworkHost 0x65b19:$x2: IClientNetworkHost 0x718bb:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.4015710.17.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.Jens Frodesen CV.exe.4015710.17.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0x1d3c2:$x2: NanoCore.ClientPlugin 0x2d5dd:$x2: NanoCore.ClientPlugin 0x3a7e8:$x2: NanoCore.ClientPlugin 0x40d34:$x2: NanoCore.ClientPlugin 0x46cd5:$x2: NanoCore.ClientPlugin 0x507e1:$x2: NanoCore.ClientPlugin 0x5abc2:$x2: NanoCore.ClientPlugin 0x65ad6:$x2: NanoCore.ClientPlugin 0x71878:$x2: NanoCore.ClientPlugin 0x9677c:$x2: NanoCore.ClientPlugin 0xa5bc0:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0x1d3e7:$x3: NanoCore.ClientPluginHost 0x2d603:$x3: NanoCore.ClientPluginHost 0x3a76c:$x3: NanoCore.ClientPluginHost 0x40cba:$x3: NanoCore.ClientPluginHost 0x46c8b:$x3: NanoCore.ClientPluginHost 0x506f7:$x3: NanoCore.ClientPluginHost 0x5ab22:$x3: NanoCore.ClientPluginHost 0x65aff:$x3: NanoCore.ClientPluginHost
3.2.Jens Frodesen CV.exe.4015710.17.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf763:$a: NanoCore 0xf778:$a: NanoCore 0xf7ad:$a: NanoCore 0x1d3c2:$a: NanoCore 0x1d3e7:$a: NanoCore 0x1d440:$a: NanoCore 0x2d5dd:$a: NanoCore 0x2d603:$a: NanoCore 0x2d65f:$a: NanoCore 0x3a4b4:$a: NanoCore 0x3a50d:$a: NanoCore 0x3a540:$a: NanoCore 0x3a76c:$a: NanoCore 0x3a7e8:$a: NanoCore 0x3ae01:$a: NanoCore 0x3af4a:$a: NanoCore 0x3b41e:$a: NanoCore 0x3b705:$a: NanoCore 0x3b71c:$a: NanoCore 0x40cba:$a: NanoCore 0x40d34:$a: NanoCore
3.2.Jens Frodesen CV.exe.4015710.17.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0x1d3e7:$a1: NanoCore.ClientPluginHost 0x2d603:$a1: NanoCore.ClientPluginHost 0x3a76c:$a1: NanoCore.ClientPluginHost 0x40cba:$a1: NanoCore.ClientPluginHost 0x46c8b:$a1: NanoCore.ClientPluginHost 0x506f7:$a1: NanoCore.ClientPluginHost 0x5ab22:$a1: NanoCore.ClientPluginHost 0x65aff:$a1: NanoCore.ClientPluginHost 0x718a1:$a1: NanoCore.ClientPluginHost 0x967a5:$a1: NanoCore.ClientPluginHost 0xa5be5:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x1d3c2:$a2: NanoCore.ClientPlugin 0x2d5dd:$a2: NanoCore.ClientPlugin 0x3a7e8:$a2: NanoCore.ClientPlugin 0x40d34:$a2: NanoCore.ClientPlugin 0x46cd5:$a2: NanoCore.ClientPlugin 0x507e1:$a2: NanoCore.ClientPlugin 0x5abc2:$a2: NanoCore.ClientPlugin 0x65ad6:$a2: NanoCore.ClientPlugin
3.2.Jens Frodesen CV.exe.40108da.16.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2221d:$x1: NanoCore.ClientPluginHost 0x32439:$x1: NanoCore.ClientPluginHost 0x3f5a2:$x1: NanoCore.ClientPluginHost 0x45af0:$x1: NanoCore.ClientPluginHost 0x4bac1:$x1: NanoCore.ClientPluginHost 0x5552d:$x1: NanoCore.ClientPluginHost 0x5f958:$x1: NanoCore.ClientPluginHost 0x6a935:$x1: NanoCore.ClientPluginHost 0x766d7:$x1: NanoCore.ClientPluginHost 0x9b5db:$x1: NanoCore.ClientPluginHost 0xaaa1b:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x22247:$x2: IClientNetworkHost 0x32466:$x2: IClientNetworkHost 0x3f5db:$x2: IClientNetworkHost 0x45b29:$x2: IClientNetworkHost 0x5568a:$x2: IClientNetworkHost 0x5f991:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.40108da.16.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.Jens Frodesen CV.exe.40108da.16.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x145ae:$x2: NanoCore.ClientPlugin 0x221f8:$x2: NanoCore.ClientPlugin 0x32413:$x2: NanoCore.ClientPlugin 0x3f61e:$x2: NanoCore.ClientPlugin 0x45b6a:$x2: NanoCore.ClientPlugin 0x4bb0b:$x2: NanoCore.ClientPlugin 0x55617:$x2: NanoCore.ClientPlugin 0x5f9f8:$x2: NanoCore.ClientPlugin 0x6a90c:$x2: NanoCore.ClientPlugin 0x766ae:$x2: NanoCore.ClientPlugin 0x9b5b2:$x2: NanoCore.ClientPlugin 0xaa9f6:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x145e3:$x3: NanoCore.ClientPluginHost 0x2221d:$x3: NanoCore.ClientPluginHost 0x32439:$x3: NanoCore.ClientPluginHost 0x3f5a2:$x3: NanoCore.ClientPluginHost 0x45af0:$x3: NanoCore.ClientPluginHost 0x4bac1:$x3: NanoCore.ClientPluginHost 0x5552d:$x3: NanoCore.ClientPluginHost
3.2.Jens Frodesen CV.exe.40108da.16.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x221f8:$a: NanoCore 0x2221d:$a: NanoCore 0x22276:$a: NanoCore 0x32413:$a: NanoCore 0x32439:$a: NanoCore 0x32495:$a: NanoCore 0x3f2ea:$a: NanoCore 0x3f343:$a: NanoCore 0x3f376:$a: NanoCore 0x3f5a2:$a: NanoCore 0x3f61e:$a: NanoCore 0x3fc37:$a: NanoCore 0x3fd80:$a: NanoCore 0x40254:$a: NanoCore
3.2.Jens Frodesen CV.exe.40108da.16.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0x145e3:$a1: NanoCore.ClientPluginHost 0x2221d:$a1: NanoCore.ClientPluginHost 0x32439:$a1: NanoCore.ClientPluginHost 0x3f5a2:$a1: NanoCore.ClientPluginHost 0x45af0:$a1: NanoCore.ClientPluginHost 0x4bac1:$a1: NanoCore.ClientPluginHost 0x5552d:$a1: NanoCore.ClientPluginHost 0x5f958:$a1: NanoCore.ClientPluginHost 0x6a935:$a1: NanoCore.ClientPluginHost 0x766d7:$a1: NanoCore.ClientPluginHost 0x9b5db:$a1: NanoCore.ClientPluginHost 0xaaa1b:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x145ae:$a2: NanoCore.ClientPlugin 0x221f8:$a2: NanoCore.ClientPlugin 0x32413:$a2: NanoCore.ClientPlugin 0x3f61e:$a2: NanoCore.ClientPlugin 0x45b6a:$a2: NanoCore.ClientPlugin 0x4bb0b:$a2: NanoCore.ClientPlugin 0x55617:$a2: NanoCore.ClientPlugin
3.2.Jens Frodesen CV.exe.4019d39.18.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x18dbe:$x1: NanoCore.ClientPluginHost 0x28fda:$x1: NanoCore.ClientPluginHost 0x36143:$x1: NanoCore.ClientPluginHost 0x3c691:$x1: NanoCore.ClientPluginHost 0x42662:$x1: NanoCore.ClientPluginHost 0x4c0ce:$x1: NanoCore.ClientPluginHost 0x564f9:$x1: NanoCore.ClientPluginHost 0x614d6:$x1: NanoCore.ClientPluginHost 0x6d278:$x1: NanoCore.ClientPluginHost 0x9217c:$x1: NanoCore.ClientPluginHost 0xa15bc:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x18de8:$x2: IClientNetworkHost 0x29007:$x2: IClientNetworkHost 0x3617c:$x2: IClientNetworkHost 0x3c6ca:$x2: IClientNetworkHost 0x4c22b:$x2: IClientNetworkHost 0x56532:$x2: IClientNetworkHost 0x614f0:$x2: IClientNetworkHost 0x6d292:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.4019d39.18.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.Jens Frodesen CV.exe.4019d39.18.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0x18d99:$x2: NanoCore.ClientPlugin 0x28fb4:$x2: NanoCore.ClientPlugin 0x361bf:$x2: NanoCore.ClientPlugin 0x3c70b:$x2: NanoCore.ClientPlugin 0x426ac:$x2: NanoCore.ClientPlugin 0x4c1b8:$x2: NanoCore.ClientPlugin 0x56599:$x2: NanoCore.ClientPlugin 0x614ad:$x2: NanoCore.ClientPlugin 0x6d24f:$x2: NanoCore.ClientPlugin 0x92153:$x2: NanoCore.ClientPlugin 0xa1597:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0x18dbe:$x3: NanoCore.ClientPluginHost 0x28fda:$x3: NanoCore.ClientPluginHost 0x36143:$x3: NanoCore.ClientPluginHost 0x3c691:$x3: NanoCore.ClientPluginHost 0x42662:$x3: NanoCore.ClientPluginHost 0x4c0ce:$x3: NanoCore.ClientPluginHost 0x564f9:$x3: NanoCore.ClientPluginHost 0x614d6:$x3: NanoCore.ClientPluginHost
3.2.Jens Frodesen CV.exe.4019d39.18.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb13a:$a: NanoCore 0xb14f:$a: NanoCore 0xb184:$a: NanoCore 0x18d99:$a: NanoCore 0x18dbe:$a: NanoCore 0x18e17:$a: NanoCore 0x28fb4:$a: NanoCore 0x28fda:$a: NanoCore 0x29036:$a: NanoCore 0x35e8b:$a: NanoCore 0x35ee4:$a: NanoCore 0x35f17:$a: NanoCore 0x36143:$a: NanoCore 0x361bf:$a: NanoCore 0x367d8:$a: NanoCore 0x36921:$a: NanoCore 0x36df5:$a: NanoCore 0x370dc:$a: NanoCore 0x370f3:$a: NanoCore 0x3c691:$a: NanoCore 0x3c70b:$a: NanoCore
3.2.Jens Frodesen CV.exe.4019d39.18.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0x18dbe:$a1: NanoCore.ClientPluginHost 0x28fda:$a1: NanoCore.ClientPluginHost 0x36143:$a1: NanoCore.ClientPluginHost 0x3c691:$a1: NanoCore.ClientPluginHost 0x42662:$a1: NanoCore.ClientPluginHost 0x4c0ce:$a1: NanoCore.ClientPluginHost 0x564f9:$a1: NanoCore.ClientPluginHost 0x614d6:$a1: NanoCore.ClientPluginHost 0x6d278:$a1: NanoCore.ClientPluginHost 0x9217c:$a1: NanoCore.ClientPluginHost 0xa15bc:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x18d99:$a2: NanoCore.ClientPlugin 0x28fb4:$a2: NanoCore.ClientPlugin 0x361bf:$a2: NanoCore.ClientPlugin 0x3c70b:$a2: NanoCore.ClientPlugin 0x426ac:$a2: NanoCore.ClientPlugin 0x4c1b8:$a2: NanoCore.ClientPlugin 0x56599:$a2: NanoCore.ClientPlugin 0x614ad:$a2: NanoCore.ClientPlugin
3.2.Jens Frodesen CV.exe.2ba8190.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x728ff:$x1: NanoCore.ClientPluginHost 0x82b65:$x1: NanoCore.ClientPluginHost 0x8fd13:$x1: NanoCore.ClientPluginHost 0x99ba7:$x1: NanoCore.ClientPluginHost 0xa1b11:$x1: NanoCore.ClientPluginHost 0xa7b28:$x1: NanoCore.ClientPluginHost 0xb15d7:$x1: NanoCore.ClientPluginHost 0xbba47:$x1: NanoCore.ClientPluginHost 0xc6a6d:$x1: NanoCore.ClientPluginHost 0xd2857:$x1: NanoCore.ClientPluginHost 0xde616:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x72929:$x2: IClientNetworkHost 0x82b92:$x2: IClientNetworkHost 0x8fd4c:$x2: IClientNetworkHost 0x99be0:$x2: IClientNetworkHost 0xa1b4a:$x2: IClientNetworkHost 0xb1734:$x2: IClientNetworkHost 0xbba80:$x2: IClientNetworkHost 0xc6a87:$x2: IClientNetworkHost
3.2.Jens Frodesen CV.exe.2ba8190.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x728da:$x2: NanoCore.ClientPlugin 0x82b3f:$x2: NanoCore.ClientPlugin 0x8fd8f:$x2: NanoCore.ClientPlugin 0x99c23:$x2: NanoCore.ClientPlugin 0xa1b8b:$x2: NanoCore.ClientPlugin 0xa7b72:$x2: NanoCore.ClientPlugin 0xb16c1:$x2: NanoCore.ClientPlugin 0xbbae7:$x2: NanoCore.ClientPlugin 0xc6a44:$x2: NanoCore.ClientPlugin 0xd282e:$x2: NanoCore.ClientPlugin 0xde5f1:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x728ff:$x3: NanoCore.ClientPluginHost 0x82b65:$x3: NanoCore.ClientPluginHost 0x8fd13:$x3: NanoCore.ClientPluginHost 0x99ba7:$x3: NanoCore.ClientPluginHost 0xa1b11:$x3: NanoCore.ClientPluginHost 0xa7b28:$x3: NanoCore.ClientPluginHost 0xb15d7:$x3: NanoCore.ClientPluginHost 0xbba47:$x3: NanoCore.ClientPluginHost
3.2.Jens Frodesen CV.exe.2ba8190.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x728da:$a: NanoCore 0x728ff:$a: NanoCore 0x72958:$a: NanoCore 0x82b3f:$a: NanoCore 0x82b65:$a: NanoCore 0x82bc1:$a: NanoCore 0x8fa5b:$a: NanoCore 0x8fab4:$a: NanoCore 0x8fae7:$a: NanoCore 0x8fd13:$a: NanoCore 0x8fd8f:$a: NanoCore 0x903a8:$a: NanoCore 0x904f1:$a: NanoCore 0x909c5:$a: NanoCore 0x90cac:$a: NanoCore 0x90cc3:$a: NanoCore 0x99ba7:$a: NanoCore
3.2.Jens Frodesen CV.exe.2ba8190.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0x728ff:$a1: NanoCore.ClientPluginHost 0x82b65:$a1: NanoCore.ClientPluginHost 0x8fd13:$a1: NanoCore.ClientPluginHost 0x99ba7:$a1: NanoCore.ClientPluginHost 0xa1b11:$a1: NanoCore.ClientPluginHost 0xa7b28:$a1: NanoCore.ClientPluginHost 0xb15d7:$a1: NanoCore.ClientPluginHost 0xbba47:$a1: NanoCore.ClientPluginHost 0xc6a6d:$a1: NanoCore.ClientPluginHost 0xd2857:$a1: NanoCore.ClientPluginHost 0xde616:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x728da:$a2: NanoCore.ClientPlugin 0x82b3f:$a2: NanoCore.ClientPlugin 0x8fd8f:$a2: NanoCore.ClientPlugin 0x99c23:$a2: NanoCore.ClientPlugin 0xa1b8b:$a2: NanoCore.ClientPlugin 0xa7b72:$a2: NanoCore.ClientPlugin 0xb16c1:$a2: NanoCore.ClientPlugin 0xbbae7:$a2: NanoCore.ClientPlugin
0.2.Jens Frodesen CV.exe.4246338.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Jens Frodesen CV.exe.4246338.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Jens Frodesen CV.exe.4246338.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0xe291e:$s2: EndPoint 0x10653:$s3: IPAddress 0xe2494:$s3: IPAddress 0x1065d:$s4: IPEndPoint
0.2.Jens Frodesen CV.exe.4246338.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0xe2256:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q
0.2.Jens Frodesen CV.exe.4246338.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
3.2.Jens Frodesen CV.exe.3d8e3c9.9.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x14db3:$x2: NanoCore.ClientPlugin 0x21fc0:$x2: NanoCore.ClientPlugin 0x2be14:$x2: NanoCore.ClientPlugin 0x33d3a:$x2: NanoCore.ClientPlugin 0x39cdd:$x2: NanoCore.ClientPlugin 0x437eb:$x2: NanoCore.ClientPlugin 0x4dbce:$x2: NanoCore.ClientPlugin 0x58ae4:$x2: NanoCore.ClientPlugin 0x64888:$x2: NanoCore.ClientPlugin 0x8978e:$x2: NanoCore.ClientPlugin 0x98bd4:$x2: NanoCore.ClientPlugin 0xc01d9:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x14dd9:$x3: NanoCore.ClientPluginHost 0x21f44:$x3: NanoCore.ClientPluginHost 0x2bd98:$x3: NanoCore.ClientPluginHost 0x33cc0:$x3: NanoCore.ClientPluginHost 0x39c93:$x3: NanoCore.ClientPluginHost 0x43701:$x3: NanoCore.ClientPluginHost 0x4db2e:$x3: NanoCore.ClientPluginHost
3.2.Jens Frodesen CV.exe.3d8e3c9.9.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14db3:$a: NanoCore 0x14dd9:$a: NanoCore 0x14e35:$a: NanoCore 0x21c8c:$a: NanoCore 0x21ce5:$a: NanoCore 0x21d18:$a: NanoCore 0x21f44:$a: NanoCore 0x21fc0:$a: NanoCore 0x225d9:$a: NanoCore 0x22722:$a: NanoCore 0x22bf6:$a: NanoCore 0x22edd:$a: NanoCore 0x22ef4:$a: NanoCore 0x2bd98:$a: NanoCore 0x2be14:$a: NanoCore 0x2e6f7:$a: NanoCore 0x33cc0:$a: NanoCore 0x33d3a:$a: NanoCore
3.2.Jens Frodesen CV.exe.3d8e3c9.9.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x14dd9:$a1: NanoCore.ClientPluginHost 0x21f44:$a1: NanoCore.ClientPluginHost 0x2bd98:$a1: NanoCore.ClientPluginHost 0x33cc0:$a1: NanoCore.ClientPluginHost 0x39c93:$a1: NanoCore.ClientPluginHost 0x43701:$a1: NanoCore.ClientPluginHost 0x4db2e:$a1: NanoCore.ClientPluginHost 0x58b0d:$a1: NanoCore.ClientPluginHost 0x648b1:$a1: NanoCore.ClientPluginHost 0x897b7:$a1: NanoCore.ClientPluginHost 0x98bf9:$a1: NanoCore.ClientPluginHost 0xc0202:$a1: NanoCore.ClientPluginHost 0x4b96:$a2: NanoCore.ClientPlugin 0x14db3:$a2: NanoCore.ClientPlugin 0x21fc0:$a2: NanoCore.ClientPlugin 0x2be14:$a2: NanoCore.ClientPlugin 0x33d3a:$a2: NanoCore.ClientPlugin 0x39cdd:$a2: NanoCore.ClientPlugin 0x437eb:$a2: NanoCore.ClientPlugin 0x4dbce:$a2: NanoCore.ClientPlugin
Click to see the 283 entries

Sigma Signatures

AV Detection

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Jens Frodesen CV.exe, ProcessId: 5344, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Jens Frodesen CV.exe, ProcessId: 5344, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LrSEeB" /XML "C:\Users\user\AppData\Local\Temp\tmp476F.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LrSEeB" /XML "C:\Users\user\AppData\Local\Temp\tmp476F.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Jens Frodesen CV.exe" , ParentImage: C:\Users\user\Desktop\Jens Frodesen CV.exe, ParentProcessId: 2932, ParentProcessName: Jens Frodesen CV.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LrSEeB" /XML "C:\Users\user\AppData\Local\Temp\tmp476F.tmp, ProcessId: 5452, ProcessName: schtasks.exe

Stealing of Sensitive Information

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Jens Frodesen CV.exe, ProcessId: 5344, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Jens Frodesen CV.exe, ProcessId: 5344, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Snort Signatures

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 171.22.30.170

Timestamp:	192.168.2.7171.22.30.1704973019892816766 09/28/22-04:13:14.999476
SID:	2816766
Source Port:	49730
Destination Port:	1989
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 171.22.30.170

Timestamp:	192.168.2.7171.22.30.1704971619892816766 09/28/22-04:12:02.248719
SID:	2816766
Source Port:	49716
Destination Port:	1989
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 171.22.30.170 - Destination IP: 192.168.2.7

Timestamp:	171.22.30.170192.168.2.71989497292841753 09/28/22-04:13:08.192973
SID:	2841753
Source Port:	1989
Destination Port:	49729
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 171.22.30.170 - Destination IP: 192.168.2.7

Timestamp:	171.22.30.170192.168.2.71989497142841753 09/28/22-04:11:48.761471
SID:	2841753
Source Port:	1989
Destination Port:	49714
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 171.22.30.170 - Destination IP: 192.168.2.7

Timestamp:	171.22.30.170192.168.2.71989497322841753 09/28/22-04:13:50.237286
SID:	2841753
Source Port:	1989
Destination Port:	49732
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 171.22.30.170

Timestamp:	192.168.2.7171.22.30.1704971419892816766 09/28/22-04:11:48.872256
SID:	2816766
Source Port:	49714
Destination Port:	1989
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 171.22.30.170 - Destination IP: 192.168.2.7

Timestamp:	171.22.30.170192.168.2.71989497312841753 09/28/22-04:13:20.783532
SID:	2841753
Source Port:	1989
Destination Port:	49731
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.7 - Destination IP: 171.22.30.170

Timestamp:	192.168.2.7171.22.30.1704971519892816766 09/28/22-04:11:55.135716
SID:	2816766
Source Port:	49715
Destination Port:	1989
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Jens Frodesen CV.exe	ReversingLabs: Detection: 60%
Source: Jens Frodesen CV.exe	Virustotal: Detection: 56%	Perma Link
Source: Jens Frodesen CV.exe	Metadefender: Detection: 33%	Perma Link

Antivirus detection for URL or domain

Source: brightnano1.ddns.net

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: brightnano1.ddns.net	Virustotal: Detection: 13%			Perma Link
Source: brightnano1.ddns.net	Virustotal: Detection: 13%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 60%
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Virustotal: Detection: 56%	Perma Link
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Metadefender: Detection: 33%	Perma Link
Source: C:\Users\user\AppData\Roaming\LrSEeB.exe	ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Roaming\LrSEeB.exe	Metadefender: Detection: 33%	Perma Link

Yara detected Nanocore RAT

Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.4015710.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.Jens Frodesen CV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Jens Frodesen CV.exe.4009ec0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.6150000.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.3eafd3a.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.3eb9199.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Jens Frodesen CV.exe.4246338.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.3eb4b70.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.3eb4b70.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.6154629.25.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.6150000.26.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.4015710.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.40108da.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.4019d39.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Jens Frodesen CV.exe.4246338.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.278495402.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.544737083.0000000006150000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.405231773.0000000003391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.286466691.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.405844203.0000000003101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.535141648.0000000003EAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.290258767.00000000041C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Jens Frodesen CV.exe PID: 2932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jens Frodesen CV.exe PID: 5344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 3104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jens Frodesen CV.exe PID: 4720, type: MEMORYSTR

Machine Learning detection for sample

Source: Jens Frodesen CV.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\LrSEeB.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Joe Sandbox ML: detected

Source: 3.0.Jens Frodesen CV.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.2.Jens Frodesen CV.exe.6150000.26.unpack	Avira: Label: TR/NanoCore.fadte

Source: 0000001C.00000002.405231773.0000000003391000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "fba1bbc6-2cc8-4c94-b6c0-dda5a12f", "Group": "Default", "Domain1": "brightnano1.ddns.net", "Domain2": "", "Port": 1989, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Source: Jens Frodesen CV.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Jens Frodesen CV.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: Jens Frodesen CV.exe, 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.531321593.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.542986660.0000000005DC0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: Jens Frodesen CV.exe, 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.531321593.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.535141648.0000000003EAF000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.548343986.0000000007060000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: Jens Frodesen CV.exe, 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.536015397.0000000003F25000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.531321593.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.548537445.0000000007080000.00000004.08000000.00040000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.535141648.0000000003EAF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: Jens Frodesen CV.exe, 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.531321593.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.535141648.0000000003EAF000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.542908530.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: Jens Frodesen CV.exe, 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.536015397.0000000003F25000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.531321593.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.535141648.0000000003EAF000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.548413055.0000000007070000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: Jens Frodesen CV.exe, 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.544223992.0000000005DD0000.00000004.08000000.00040000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.531321593.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.535141648.0000000003EAF000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	3_2_0654C088
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	3_2_0654FDD0
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	3_2_0654FE36
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	3_2_0654FDC1
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	3_2_0654FD88

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49714 -> 171.22.30.170:1989
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 171.22.30.170:1989 -> 192.168.2.7:49714
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49715 -> 171.22.30.170:1989
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49716 -> 171.22.30.170:1989
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 171.22.30.170:1989 -> 192.168.2.7:49729
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.7:49730 -> 171.22.30.170:1989
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 171.22.30.170:1989 -> 192.168.2.7:49731
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 171.22.30.170:1989 -> 192.168.2.7:49732

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs:
Source: Malware configuration extractor	URLs: brightnano1.ddns.net

Uses dynamic DNS services

Source: unknown

DNS query: name: brightnano1.ddns.net

Source: global traffic	TCP traffic: 192.168.2.7:49714 -> 171.22.30.170:1989
Source: global traffic	TCP traffic: 192.168.2.7:49718 -> 171.22.30.97:1989

Source: unknown	TCP traffic detected without corresponding DNS query: 171.22.30.97
Source: unknown	TCP traffic detected without corresponding DNS query: 171.22.30.97
Source: unknown	TCP traffic detected without corresponding DNS query: 171.22.30.97
Source: unknown	TCP traffic detected without corresponding DNS query: 171.22.30.97
Source: unknown	TCP traffic detected without corresponding DNS query: 171.22.30.97
Source: unknown	TCP traffic detected without corresponding DNS query: 171.22.30.97
Source: unknown	TCP traffic detected without corresponding DNS query: 171.22.30.97
Source: unknown	TCP traffic detected without corresponding DNS query: 171.22.30.97
Source: unknown	TCP traffic detected without corresponding DNS query: 171.22.30.97

Source: Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Jens Frodesen CV.exe, 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.536015397.0000000003F25000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.531321593.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.535141648.0000000003EAF000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.548413055.0000000007070000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://google.com
Source: Jens Frodesen CV.exe, 00000000.00000002.282970188.0000000002F2B000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 0000000C.00000002.370323682.0000000003421000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 0000000E.00000002.364394906.000000000310B000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000014.00000002.398299174.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000000.00000003.240997438.000000000123C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown

DNS traffic detected: queries for: brightnano1.ddns.net

Source: dhcpmon.exe, 0000000E.00000002.358018633.0000000001538000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: Jens Frodesen CV.exe, 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.4015710.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.Jens Frodesen CV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Jens Frodesen CV.exe.4009ec0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.6150000.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.3eafd3a.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.3eb9199.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Jens Frodesen CV.exe.4246338.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.3eb4b70.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.3eb4b70.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.6154629.25.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.6150000.26.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.4015710.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.40108da.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.4019d39.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Jens Frodesen CV.exe.4246338.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.278495402.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.544737083.0000000006150000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.405231773.0000000003391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.286466691.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.405844203.0000000003101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.535141648.0000000003EAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.290258767.00000000041C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Jens Frodesen CV.exe PID: 2932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jens Frodesen CV.exe PID: 5344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 3104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jens Frodesen CV.exe PID: 4720, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.Jens Frodesen CV.exe.7080000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.7080000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.7080000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.2c22150.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.2c22150.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.2c22150.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Jens Frodesen CV.exe.2c22150.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.2c15ed4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.2c15ed4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.2c15ed4.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Jens Frodesen CV.exe.2c15ed4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.70c0000.35.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.70c0000.35.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.70c0000.35.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.3d9a5fd.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.3d9a5fd.8.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.3d9a5fd.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.4015710.17.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.4015710.17.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.4015710.17.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.5dd0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.5dd0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.5dd0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.5dc0000.23.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.5dc0000.23.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.5dc0000.23.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.5d70000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.5d70000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.5d70000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.3f815e7.13.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.3f815e7.13.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.3f815e7.13.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.7070000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.7070000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.7070000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.70b0000.32.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.70b0000.32.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.70b0000.32.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.3f815e7.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.3f815e7.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.3f815e7.13.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Jens Frodesen CV.exe.3f815e7.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.0.Jens Frodesen CV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.Jens Frodesen CV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.0.Jens Frodesen CV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.Jens Frodesen CV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.2e354cc.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.2e354cc.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.2e354cc.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Jens Frodesen CV.exe.2e354cc.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.Jens Frodesen CV.exe.4009ec0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Jens Frodesen CV.exe.4009ec0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.Jens Frodesen CV.exe.4009ec0.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Jens Frodesen CV.exe.4009ec0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.70c4c9f.33.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.70c4c9f.33.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.70c4c9f.33.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.7060000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.7060000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.7060000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.7090000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.7090000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.7090000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.3d8e3c9.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.3d8e3c9.9.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.3d8e3c9.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.7080000.30.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.7080000.30.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.7080000.30.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.2e354cc.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.2e354cc.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.2e354cc.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.6150000.26.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.6150000.26.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.6150000.26.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.7090000.31.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.7090000.31.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.7090000.31.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.3eafd3a.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.3eafd3a.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.3eafd3a.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Jens Frodesen CV.exe.3eafd3a.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.7070000.29.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.7070000.29.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.7070000.29.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.3eb9199.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.3eb9199.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.3eb9199.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Jens Frodesen CV.exe.3eb9199.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.2c22150.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.2c22150.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.2c22150.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.3f98846.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.3f98846.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.3f98846.15.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.5d60000.20.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.5d60000.20.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.5d60000.20.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.Jens Frodesen CV.exe.4246338.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Jens Frodesen CV.exe.4246338.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.Jens Frodesen CV.exe.4246338.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Jens Frodesen CV.exe.4246338.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 29.2.Jens Frodesen CV.exe.316962c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 29.2.Jens Frodesen CV.exe.316962c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 29.2.Jens Frodesen CV.exe.316962c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.5dd0000.24.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.5dd0000.24.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.5dd0000.24.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.2e4dc2a.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.2e4dc2a.5.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.2e4dc2a.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 28.2.dhcpmon.exe.33f9660.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 28.2.dhcpmon.exe.33f9660.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 28.2.dhcpmon.exe.33f9660.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.2c15ed4.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.2c15ed4.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.2c15ed4.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.3f8a416.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.3f8a416.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.3f8a416.14.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.70c0000.35.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.70c0000.35.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.70c0000.35.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.5d60000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.5d60000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.5d60000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.2e3e7d4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.2e3e7d4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.2e3e7d4.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Jens Frodesen CV.exe.2e3e7d4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.7100000.36.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.7100000.36.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.7100000.36.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.70ce8a4.34.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.70ce8a4.34.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.70ce8a4.34.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.3f8a416.14.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.3f8a416.14.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.3f8a416.14.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 28.2.dhcpmon.exe.43db7d6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 28.2.dhcpmon.exe.43db7d6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 28.2.dhcpmon.exe.43db7d6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.3f98846.15.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.3f98846.15.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.3f98846.15.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.7100000.36.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.7100000.36.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.7100000.36.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 28.2.dhcpmon.exe.43f95f8.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 28.2.dhcpmon.exe.43f95f8.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 28.2.dhcpmon.exe.43f95f8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.5400000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.5400000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.5400000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.3d9a5fd.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.3d9a5fd.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Jens Frodesen CV.exe.3d9a5fd.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.3eb4b70.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.3eb4b70.12.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.3eb4b70.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.3eb4b70.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.3eb4b70.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.3eb4b70.12.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Jens Frodesen CV.exe.3eb4b70.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.2e3e7d4.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.2e3e7d4.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.2e3e7d4.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Jens Frodesen CV.exe.2e3e7d4.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.6154629.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.6154629.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.6154629.25.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.5dc0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.5dc0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.5dc0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.70b0000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.70b0000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.70b0000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.2e4dc2a.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.2e4dc2a.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.2e4dc2a.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.5db0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.5db0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.5db0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.5d70000.21.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.5d70000.21.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.5d70000.21.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.6150000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.6150000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.6150000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.3daec2a.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.3daec2a.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.3daec2a.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Jens Frodesen CV.exe.3daec2a.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.4015710.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.4015710.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.4015710.17.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Jens Frodesen CV.exe.4015710.17.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.40108da.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.40108da.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.40108da.16.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Jens Frodesen CV.exe.40108da.16.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.4019d39.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.4019d39.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.4019d39.18.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Jens Frodesen CV.exe.4019d39.18.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.2ba8190.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.Jens Frodesen CV.exe.2ba8190.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.2ba8190.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Jens Frodesen CV.exe.2ba8190.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.Jens Frodesen CV.exe.4246338.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Jens Frodesen CV.exe.4246338.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.Jens Frodesen CV.exe.4246338.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Jens Frodesen CV.exe.4246338.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.Jens Frodesen CV.exe.3d8e3c9.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.Jens Frodesen CV.exe.3d8e3c9.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Jens Frodesen CV.exe.3d8e3c9.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.544223992.0000000005DD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.544223992.0000000005DD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.544223992.0000000005DD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.548893461.00000000070B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.548893461.00000000070B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.548893461.00000000070B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.536015397.0000000003F25000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.536015397.0000000003F25000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000000.278495402.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000000.278495402.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000000.278495402.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000001C.00000002.411921875.0000000004408000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.526400449.0000000002E2B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.526400449.0000000002E2B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.544737083.0000000006150000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.544737083.0000000006150000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.544737083.0000000006150000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000001C.00000002.405231773.0000000003391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000002.405231773.0000000003391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.541798909.0000000005400000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.541798909.0000000005400000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.541798909.0000000005400000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.548537445.0000000007080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.548537445.0000000007080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.548537445.0000000007080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.531321593.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.531321593.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.286466691.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.286466691.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.286466691.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.549029017.00000000070C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.549029017.00000000070C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.549029017.00000000070C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.542986660.0000000005DC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.542986660.0000000005DC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.542986660.0000000005DC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.542226366.0000000005D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.542226366.0000000005D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.542226366.0000000005D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.548413055.0000000007070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.548413055.0000000007070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.548413055.0000000007070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.542387318.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.542387318.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.542387318.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000001C.00000002.411534974.00000000043EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000003.486665310.0000000006A38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.542908530.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.542908530.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.542908530.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000001D.00000002.405844203.0000000003101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001D.00000002.405844203.0000000003101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.549521024.0000000007100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.549521024.0000000007100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.549521024.0000000007100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.548343986.0000000007060000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.548343986.0000000007060000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.548343986.0000000007060000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.535141648.0000000003EAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.535141648.0000000003EAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.548639274.0000000007090000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.548639274.0000000007090000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.548639274.0000000007090000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000001C.00000002.410904877.00000000043DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.290258767.00000000041C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.290258767.00000000041C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.290258767.00000000041C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: Jens Frodesen CV.exe PID: 2932, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Jens Frodesen CV.exe PID: 2932, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Jens Frodesen CV.exe PID: 2932, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: Jens Frodesen CV.exe PID: 5344, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Jens Frodesen CV.exe PID: 5344, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Jens Frodesen CV.exe PID: 5344, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: dhcpmon.exe PID: 3104, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 3104, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: Jens Frodesen CV.exe PID: 4720, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Jens Frodesen CV.exe PID: 4720, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown

Source: Jens Frodesen CV.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.2.Jens Frodesen CV.exe.7080000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.7080000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.7080000.30.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.7080000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.2c22150.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.2c22150.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.2c22150.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.2c22150.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Jens Frodesen CV.exe.2c22150.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.2c15ed4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.2c15ed4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.2c15ed4.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.2c15ed4.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Jens Frodesen CV.exe.2c15ed4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.70c0000.35.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.70c0000.35.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.70c0000.35.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.70c0000.35.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.3d9a5fd.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.3d9a5fd.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.3d9a5fd.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.3d9a5fd.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.4015710.17.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.4015710.17.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.4015710.17.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.4015710.17.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.5dd0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.5dd0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.5dd0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.5dd0000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.5dc0000.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.5dc0000.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.5dc0000.23.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.5dc0000.23.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.5d70000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.5d70000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.5d70000.21.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.5d70000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.3f815e7.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.3f815e7.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.3f815e7.13.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.3f815e7.13.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.7070000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.7070000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.7070000.29.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.7070000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.70b0000.32.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.70b0000.32.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.70b0000.32.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.70b0000.32.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.3f815e7.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.3f815e7.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.3f815e7.13.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.3f815e7.13.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Jens Frodesen CV.exe.3f815e7.13.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.0.Jens Frodesen CV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.Jens Frodesen CV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.Jens Frodesen CV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.0.Jens Frodesen CV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.Jens Frodesen CV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.2e354cc.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.2e354cc.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.2e354cc.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.2e354cc.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Jens Frodesen CV.exe.2e354cc.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.Jens Frodesen CV.exe.4009ec0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.Jens Frodesen CV.exe.4009ec0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.Jens Frodesen CV.exe.4009ec0.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.Jens Frodesen CV.exe.4009ec0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.70c4c9f.33.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.70c4c9f.33.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.70c4c9f.33.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.70c4c9f.33.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.7060000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.7060000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.7060000.28.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.7060000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.7090000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.7090000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.7090000.31.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.7090000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.3d8e3c9.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.3d8e3c9.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.3d8e3c9.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.3d8e3c9.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.7080000.30.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.7080000.30.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.7080000.30.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.7080000.30.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.2e354cc.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.2e354cc.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.2e354cc.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.2e354cc.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.6150000.26.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.6150000.26.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.6150000.26.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.6150000.26.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.7090000.31.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.7090000.31.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.7090000.31.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.7090000.31.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.3eafd3a.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.3eafd3a.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.3eafd3a.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.3eafd3a.10.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Jens Frodesen CV.exe.3eafd3a.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.7070000.29.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.7070000.29.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.7070000.29.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.7070000.29.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.3eb9199.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.3eb9199.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.3eb9199.11.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.3eb9199.11.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Jens Frodesen CV.exe.3eb9199.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.2c22150.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.2c22150.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.2c22150.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.2c22150.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.3f98846.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.3f98846.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.3f98846.15.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.3f98846.15.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.5d60000.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.5d60000.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.5d60000.20.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.5d60000.20.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.Jens Frodesen CV.exe.4246338.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.Jens Frodesen CV.exe.4246338.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.Jens Frodesen CV.exe.4246338.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.Jens Frodesen CV.exe.4246338.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.Jens Frodesen CV.exe.4246338.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 29.2.Jens Frodesen CV.exe.316962c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 29.2.Jens Frodesen CV.exe.316962c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 29.2.Jens Frodesen CV.exe.316962c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 29.2.Jens Frodesen CV.exe.316962c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.5dd0000.24.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.5dd0000.24.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.5dd0000.24.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.5dd0000.24.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.2e4dc2a.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.2e4dc2a.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.2e4dc2a.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.2e4dc2a.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 28.2.dhcpmon.exe.33f9660.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 28.2.dhcpmon.exe.33f9660.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 28.2.dhcpmon.exe.33f9660.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 28.2.dhcpmon.exe.33f9660.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.2c15ed4.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.2c15ed4.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.2c15ed4.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.2c15ed4.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.3f8a416.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.3f8a416.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.3f8a416.14.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.3f8a416.14.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.70c0000.35.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.70c0000.35.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.70c0000.35.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.70c0000.35.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.5d60000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.5d60000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.5d60000.20.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.5d60000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.2e3e7d4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.2e3e7d4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.2e3e7d4.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.2e3e7d4.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Jens Frodesen CV.exe.2e3e7d4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.7100000.36.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.7100000.36.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.7100000.36.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.7100000.36.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.70ce8a4.34.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.70ce8a4.34.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.70ce8a4.34.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.70ce8a4.34.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.3f8a416.14.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.3f8a416.14.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.3f8a416.14.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.3f8a416.14.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 28.2.dhcpmon.exe.43db7d6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 28.2.dhcpmon.exe.43db7d6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 28.2.dhcpmon.exe.43db7d6.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 28.2.dhcpmon.exe.43db7d6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.3f98846.15.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.3f98846.15.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.3f98846.15.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.3f98846.15.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.7100000.36.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.7100000.36.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.7100000.36.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.7100000.36.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 28.2.dhcpmon.exe.43f95f8.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 28.2.dhcpmon.exe.43f95f8.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 28.2.dhcpmon.exe.43f95f8.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 28.2.dhcpmon.exe.43f95f8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.5400000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.5400000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.5400000.19.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.5400000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.3d9a5fd.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.3d9a5fd.8.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Jens Frodesen CV.exe.3d9a5fd.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.3eb4b70.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.3eb4b70.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.3eb4b70.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.3eb4b70.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.3eb4b70.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.3eb4b70.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.3eb4b70.12.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.3eb4b70.12.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Jens Frodesen CV.exe.3eb4b70.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.2e3e7d4.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.2e3e7d4.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.2e3e7d4.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.2e3e7d4.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Jens Frodesen CV.exe.2e3e7d4.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.6154629.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.6154629.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.6154629.25.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.6154629.25.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.5dc0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.5dc0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.5dc0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.5dc0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.70b0000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.70b0000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.70b0000.32.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.70b0000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.2e4dc2a.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.2e4dc2a.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.2e4dc2a.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.2e4dc2a.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.5db0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.5db0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.5db0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.5db0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.5d70000.21.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.5d70000.21.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.5d70000.21.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.5d70000.21.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.6150000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.6150000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.6150000.26.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.6150000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.3daec2a.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.3daec2a.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.3daec2a.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Jens Frodesen CV.exe.3daec2a.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.4015710.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.4015710.17.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.4015710.17.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Jens Frodesen CV.exe.4015710.17.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.40108da.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.40108da.16.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.40108da.16.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Jens Frodesen CV.exe.40108da.16.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.4019d39.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.4019d39.18.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.4019d39.18.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Jens Frodesen CV.exe.4019d39.18.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.2ba8190.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.Jens Frodesen CV.exe.2ba8190.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.2ba8190.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Jens Frodesen CV.exe.2ba8190.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.Jens Frodesen CV.exe.4246338.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.Jens Frodesen CV.exe.4246338.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.Jens Frodesen CV.exe.4246338.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.Jens Frodesen CV.exe.4246338.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.Jens Frodesen CV.exe.3d8e3c9.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.Jens Frodesen CV.exe.3d8e3c9.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.Jens Frodesen CV.exe.3d8e3c9.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.544223992.0000000005DD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.544223992.0000000005DD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.544223992.0000000005DD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.544223992.0000000005DD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.548893461.00000000070B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.548893461.00000000070B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.548893461.00000000070B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.548893461.00000000070B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.536015397.0000000003F25000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.536015397.0000000003F25000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000000.278495402.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000000.278495402.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000000.278495402.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000001C.00000002.411921875.0000000004408000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.526400449.0000000002E2B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.526400449.0000000002E2B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.544737083.0000000006150000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.544737083.0000000006150000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.544737083.0000000006150000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.544737083.0000000006150000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000001C.00000002.405231773.0000000003391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001C.00000002.405231773.0000000003391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.541798909.0000000005400000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.541798909.0000000005400000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.541798909.0000000005400000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.541798909.0000000005400000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.548537445.0000000007080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.548537445.0000000007080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.548537445.0000000007080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.548537445.0000000007080000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.531321593.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.531321593.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.286466691.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.286466691.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.286466691.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.549029017.00000000070C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.549029017.00000000070C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.549029017.00000000070C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.549029017.00000000070C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.542986660.0000000005DC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.542986660.0000000005DC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.542986660.0000000005DC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.542986660.0000000005DC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.542226366.0000000005D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.542226366.0000000005D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.542226366.0000000005D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.542226366.0000000005D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.548413055.0000000007070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.548413055.0000000007070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.548413055.0000000007070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.548413055.0000000007070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.542387318.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.542387318.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.542387318.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.542387318.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000001C.00000002.411534974.00000000043EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000003.486665310.0000000006A38000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.542908530.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.542908530.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.542908530.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.542908530.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000001D.00000002.405844203.0000000003101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001D.00000002.405844203.0000000003101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.549521024.0000000007100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.549521024.0000000007100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.549521024.0000000007100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.549521024.0000000007100000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.548343986.0000000007060000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.548343986.0000000007060000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.548343986.0000000007060000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.548343986.0000000007060000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.535141648.0000000003EAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.535141648.0000000003EAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.548639274.0000000007090000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.548639274.0000000007090000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.548639274.0000000007090000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.548639274.0000000007090000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000001C.00000002.410904877.00000000043DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.290258767.00000000041C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.290258767.00000000041C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.290258767.00000000041C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: Jens Frodesen CV.exe PID: 2932, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: Jens Frodesen CV.exe PID: 2932, type: MEMORYSTR	Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
Source: Process Memory Space: Jens Frodesen CV.exe PID: 2932, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Jens Frodesen CV.exe PID: 2932, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: Jens Frodesen CV.exe PID: 5344, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: Jens Frodesen CV.exe PID: 5344, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Jens Frodesen CV.exe PID: 5344, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: Jens Frodesen CV.exe PID: 244, type: MEMORYSTR	Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
Source: Process Memory Space: dhcpmon.exe PID: 4320, type: MEMORYSTR	Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
Source: Process Memory Space: dhcpmon.exe PID: 988, type: MEMORYSTR	Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
Source: Process Memory Space: dhcpmon.exe PID: 3104, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 3104, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: Jens Frodesen CV.exe PID: 4720, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Jens Frodesen CV.exe PID: 4720, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Code function: 0_2_0125C64C	0_2_0125C64C
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Code function: 0_2_0125E8C9	0_2_0125E8C9
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Code function: 0_2_0125E8D8	0_2_0125E8D8
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Code function: 3_2_07103324	3_2_07103324
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Code function: 3_2_07113DB0	3_2_07113DB0
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Code function: 3_2_071046D3	3_2_071046D3
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Code function: 3_2_071042EB	3_2_071042EB
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Code function: 3_2_00F9E480	3_2_00F9E480
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Code function: 3_2_00F9E471	3_2_00F9E471
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Code function: 3_2_00F9BBD4	3_2_00F9BBD4
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Code function: 3_2_06549218	3_2_06549218
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Code function: 3_2_06540040	3_2_06540040
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Code function: 3_2_06549E20	3_2_06549E20
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Code function: 3_2_06549EEE	3_2_06549EEE
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Code function: 3_2_0654D91A	3_2_0654D91A

Source: Jens Frodesen CV.exe, 00000000.00000002.301886862.00000000075D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameQuestKingdom.dllH vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000000.00000002.286466691.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQuestKingdom.dllH vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000000.00000002.286466691.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000000.00000000.232835260.0000000000932000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSKaoF7b.exe4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000000.00000002.303159128.00000000078D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000000.00000002.290258767.00000000041C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSKaoF7b.exe4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.544223992.0000000005DD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.548990207.00000000070B8000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.549642575.000000000710E000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.536015397.0000000003F25000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.536015397.0000000003F25000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.536015397.0000000003F25000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.536015397.0000000003F25000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.536015397.0000000003F25000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.536015397.0000000003F25000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.536015397.0000000003F25000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.536015397.0000000003F25000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.544979111.0000000006170000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.531321593.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.531321593.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.531321593.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.531321593.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.531321593.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.531321593.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.531321593.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.531321593.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.531321593.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.531321593.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.531321593.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.531321593.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.531321593.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.531321593.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.526400449.0000000002E2B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.526400449.0000000002E2B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.526400449.0000000002E2B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.526400449.0000000002E2B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.544737083.0000000006150000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.544737083.0000000006150000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.549361044.00000000070E8000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.548537445.0000000007080000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.530692383.0000000003BF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.549029017.00000000070C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.549029017.00000000070C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.535141648.0000000003EAF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.535141648.0000000003EAF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.535141648.0000000003EAF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.535141648.0000000003EAF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.535141648.0000000003EAF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.535141648.0000000003EAF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.535141648.0000000003EAF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.535141648.0000000003EAF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.535141648.0000000003EAF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.535141648.0000000003EAF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.535141648.0000000003EAF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.542226366.0000000005D60000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.542986660.0000000005DC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.542908530.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.548413055.0000000007070000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.542387318.0000000005D70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000003.486665310.0000000006A38000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.548343986.0000000007060000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 00000003.00000002.548736594.000000000709E000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 0000000C.00000002.360950015.000000000160A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 0000000C.00000002.373661578.000000000468B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 0000001D.00000002.411388148.0000000004157000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 0000001D.00000002.411703943.0000000004168000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 0000001D.00000002.411703943.0000000004168000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 0000001D.00000002.405844203.0000000003101000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 0000001D.00000002.405844203.0000000003101000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe, 0000001D.00000002.410964095.000000000414D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs Jens Frodesen CV.exe
Source: Jens Frodesen CV.exe	Binary or memory string: OriginalFilenameSKaoF7b.exe4 vs Jens Frodesen CV.exe

Source: Jens Frodesen CV.exe	ReversingLabs: Detection: 60%
Source: Jens Frodesen CV.exe	Virustotal: Detection: 56%
Source: Jens Frodesen CV.exe	Metadefender: Detection: 33%

Source: C:\Users\user\Desktop\Jens Frodesen CV.exe

File read: C:\Users\user\Desktop\Jens Frodesen CV.exe

Jump to behavior

Source: Jens Frodesen CV.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Jens Frodesen CV.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Jens Frodesen CV.exe "C:\Users\user\Desktop\Jens Frodesen CV.exe"
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LrSEeB" /XML "C:\Users\user\AppData\Local\Temp\tmp476F.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process created: C:\Users\user\Desktop\Jens Frodesen CV.exe {path}
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp7194.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp75AC.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\Jens Frodesen CV.exe "C:\Users\user\Desktop\Jens Frodesen CV.exe" 0
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LrSEeB" /XML "C:\Users\user\AppData\Local\Temp\tmpBFFB.tmp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LrSEeB" /XML "C:\Users\user\AppData\Local\Temp\tmpC1DF.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process created: C:\Users\user\Desktop\Jens Frodesen CV.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process created: C:\Users\user\Desktop\Jens Frodesen CV.exe {path}
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LrSEeB" /XML "C:\Users\user\AppData\Local\Temp\tmpE91E.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LrSEeB" /XML "C:\Users\user\AppData\Local\Temp\tmp476F.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process created: C:\Users\user\Desktop\Jens Frodesen CV.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp7194.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp75AC.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LrSEeB" /XML "C:\Users\user\AppData\Local\Temp\tmpBFFB.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process created: C:\Users\user\Desktop\Jens Frodesen CV.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process created: C:\Users\user\Desktop\Jens Frodesen CV.exe {path}	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LrSEeB" /XML "C:\Users\user\AppData\Local\Temp\tmpC1DF.tmp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LrSEeB" /XML "C:\Users\user\AppData\Local\Temp\tmpE91E.tmp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}

Source: C:\Users\user\Desktop\Jens Frodesen CV.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Jens Frodesen CV.exe

File created: C:\Users\user\AppData\Roaming\LrSEeB.exe

Jump to behavior

Source: C:\Users\user\Desktop\Jens Frodesen CV.exe

File created: C:\Users\user\AppData\Local\Temp\tmp476F.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@32/15@7/2

Source: C:\Users\user\Desktop\Jens Frodesen CV.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: Jens Frodesen CV.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2600:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5200:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5628:120:WilError_01
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{fba1bbc6-2cc8-4c94-b6c0-dda5a12fd7fe}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5552:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5320:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5556:120:WilError_01

Source: C:\Users\user\Desktop\Jens Frodesen CV.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: 3.0.Jens Frodesen CV.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.Jens Frodesen CV.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.0.Jens Frodesen CV.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Jens Frodesen CV.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Jens Frodesen CV.exe

Static file information: File size 1053184 > 1048576

Source: Jens Frodesen CV.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Jens Frodesen CV.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: Jens Frodesen CV.exe, 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.531321593.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.542986660.0000000005DC0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: Jens Frodesen CV.exe, 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.531321593.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.535141648.0000000003EAF000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.548343986.0000000007060000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: Jens Frodesen CV.exe, 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.536015397.0000000003F25000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.531321593.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.548537445.0000000007080000.00000004.08000000.00040000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.535141648.0000000003EAF000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: Jens Frodesen CV.exe, 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.531321593.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.535141648.0000000003EAF000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.542908530.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: Jens Frodesen CV.exe, 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.536015397.0000000003F25000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.531321593.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.535141648.0000000003EAF000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.548413055.0000000007070000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: Jens Frodesen CV.exe, 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.544223992.0000000005DD0000.00000004.08000000.00040000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.531321593.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.535141648.0000000003EAF000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 3.0.Jens Frodesen CV.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.Jens Frodesen CV.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Code function: 3_2_0654E66A push eax; iretd	3_2_0654E675
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Code function: 3_2_0654C6D8 pushad ; ret	3_2_0654C6D9
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Code function: 3_2_0654D701 push es; retf	3_2_0654D720
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Code function: 3_2_0654D721 push ecx; iretd	3_2_0654D741
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Code function: 3_2_0654D7D2 push ecx; iretd	3_2_0654D7D9
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Code function: 3_2_0654D799 push ecx; iretd	3_2_0654D7D1
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Code function: 3_2_0654D566 push es; retf	3_2_0654D58C
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Code function: 3_2_065475A8 push eax; iretd	3_2_065475B9
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Code function: 3_2_06544FEC push es; ret	3_2_06544FF0
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Code function: 3_2_0654D831 push es; retf	3_2_0654D850

Source: initial sample	Static PE information: section name: .text entropy: 6.901351263212902
Source: initial sample	Static PE information: section name: .text entropy: 6.901351263212902
Source: initial sample	Static PE information: section name: .text entropy: 6.901351263212902

Source: 3.0.Jens Frodesen CV.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 3.0.Jens Frodesen CV.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	File created: C:\Users\user\AppData\Roaming\LrSEeB.exe			Jump to dropped file
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Jens Frodesen CV.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LrSEeB" /XML "C:\Users\user\AppData\Local\Temp\tmp476F.tmp

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\Jens Frodesen CV.exe

File opened: C:\Users\user\Desktop\Jens Frodesen CV.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Jens Frodesen CV.exe PID: 2932, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Jens Frodesen CV.exe, 00000000.00000002.282970188.0000000002F2B000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 0000000C.00000002.370524065.0000000003429000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 0000000E.00000002.364976237.0000000003129000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000014.00000002.398586716.00000000032C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Jens Frodesen CV.exe, 00000000.00000002.282970188.0000000002F2B000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 0000000C.00000002.370524065.0000000003429000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 0000000E.00000002.364976237.0000000003129000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000014.00000002.398586716.00000000032C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Jens Frodesen CV.exe TID: 5236	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe TID: 4160	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe TID: 3784	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5264	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2872	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 2236	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe TID: 6080	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5760	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Window / User API: threadDelayed 9682			Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Window / User API: foregroundWindowGot 648			Jump to behavior

Source: C:\Users\user\Desktop\Jens Frodesen CV.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477

Source: dhcpmon.exe, 00000014.00000002.398586716.00000000032C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: dhcpmon.exe, 00000014.00000002.398586716.00000000032C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: dhcpmon.exe, 00000014.00000002.412145618.0000000007480000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}a
Source: dhcpmon.exe, 00000014.00000002.398586716.00000000032C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 00000014.00000002.398586716.00000000032C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: dhcpmon.exe, 00000014.00000002.398586716.00000000032C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: dhcpmon.exe, 00000014.00000002.398586716.00000000032C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: dhcpmon.exe, 0000000E.00000002.406829788.00000000074B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: dhcpmon.exe, 00000014.00000002.398586716.00000000032C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: dhcpmon.exe, 00000014.00000002.398586716.00000000032C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: dhcpmon.exe, 00000014.00000002.398586716.00000000032C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: Jens Frodesen CV.exe, 00000003.00000002.515029123.0000000000D76000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Jens Frodesen CV.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Memory written: C:\Users\user\Desktop\Jens Frodesen CV.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Memory written: C:\Users\user\Desktop\Jens Frodesen CV.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Memory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LrSEeB" /XML "C:\Users\user\AppData\Local\Temp\tmp476F.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process created: C:\Users\user\Desktop\Jens Frodesen CV.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp7194.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp75AC.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LrSEeB" /XML "C:\Users\user\AppData\Local\Temp\tmpBFFB.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process created: C:\Users\user\Desktop\Jens Frodesen CV.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Process created: C:\Users\user\Desktop\Jens Frodesen CV.exe {path}	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LrSEeB" /XML "C:\Users\user\AppData\Local\Temp\tmpC1DF.tmp	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LrSEeB" /XML "C:\Users\user\AppData\Local\Temp\tmpE91E.tmp
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe {path}

Source: Jens Frodesen CV.exe, 00000003.00000002.527788716.0000000002ECA000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.529206395.0000000002F80000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.523130514.0000000002C97000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Jens Frodesen CV.exe, 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerD$
Source: Jens Frodesen CV.exe, 00000003.00000002.548139283.0000000006D5B000.00000004.00000010.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.547077146.0000000006A0C000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Managerram Manager
Source: Jens Frodesen CV.exe, 00000003.00000002.545174936.00000000062BD000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Managerram Manager x
Source: Jens Frodesen CV.exe, 00000003.00000002.544654482.000000000614A000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Users\user\Desktop\Jens Frodesen CV.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Users\user\Desktop\Jens Frodesen CV.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Users\user\Desktop\Jens Frodesen CV.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Users\user\Desktop\Jens Frodesen CV.exe VolumeInformation
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\Jens Frodesen CV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\Jens Frodesen CV.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.4015710.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.Jens Frodesen CV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Jens Frodesen CV.exe.4009ec0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.6150000.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.3eafd3a.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.3eb9199.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Jens Frodesen CV.exe.4246338.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.3eb4b70.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.3eb4b70.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.6154629.25.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.6150000.26.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.4015710.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.40108da.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.4019d39.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Jens Frodesen CV.exe.4246338.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.278495402.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.544737083.0000000006150000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.405231773.0000000003391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.286466691.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.405844203.0000000003101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.535141648.0000000003EAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.290258767.00000000041C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Jens Frodesen CV.exe PID: 2932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jens Frodesen CV.exe PID: 5344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 3104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jens Frodesen CV.exe PID: 4720, type: MEMORYSTR

Remote Access Functionality

Detected Nanocore Rat

Source: Jens Frodesen CV.exe, 00000000.00000002.286466691.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Jens Frodesen CV.exe, 00000000.00000002.290258767.00000000041C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Jens Frodesen CV.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: Jens Frodesen CV.exe, 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Jens Frodesen CV.exe, 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Jens Frodesen CV.exe, 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: Jens Frodesen CV.exe, 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: Jens Frodesen CV.exe, 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: Jens Frodesen CV.exe, 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: Jens Frodesen CV.exe, 00000003.00000002.544223992.0000000005DD0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Jens Frodesen CV.exe, 00000003.00000002.544223992.0000000005DD0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: Jens Frodesen CV.exe, 00000003.00000002.548893461.00000000070B0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Jens Frodesen CV.exe, 00000003.00000002.536015397.0000000003F25000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Jens Frodesen CV.exe, 00000003.00000002.536015397.0000000003F25000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: Jens Frodesen CV.exe, 00000003.00000000.278495402.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Jens Frodesen CV.exe, 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Jens Frodesen CV.exe, 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Jens Frodesen CV.exe, 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: Jens Frodesen CV.exe, 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: Jens Frodesen CV.exe, 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: Jens Frodesen CV.exe, 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: Jens Frodesen CV.exe, 00000003.00000002.531321593.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Jens Frodesen CV.exe, 00000003.00000002.531321593.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: Jens Frodesen CV.exe, 00000003.00000002.531321593.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: Jens Frodesen CV.exe, 00000003.00000002.531321593.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: Jens Frodesen CV.exe, 00000003.00000002.531321593.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: Jens Frodesen CV.exe, 00000003.00000002.526400449.0000000002E2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Jens Frodesen CV.exe, 00000003.00000002.526400449.0000000002E2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Jens Frodesen CV.exe, 00000003.00000002.544737083.0000000006150000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Jens Frodesen CV.exe, 00000003.00000002.548537445.0000000007080000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Jens Frodesen CV.exe, 00000003.00000002.548537445.0000000007080000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: Jens Frodesen CV.exe, 00000003.00000002.549029017.00000000070C0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Jens Frodesen CV.exe, 00000003.00000002.535141648.0000000003EAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Jens Frodesen CV.exe, 00000003.00000002.535141648.0000000003EAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Jens Frodesen CV.exe, 00000003.00000002.535141648.0000000003EAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: Jens Frodesen CV.exe, 00000003.00000002.535141648.0000000003EAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: Jens Frodesen CV.exe, 00000003.00000002.535141648.0000000003EAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: Jens Frodesen CV.exe, 00000003.00000002.535141648.0000000003EAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: Jens Frodesen CV.exe, 00000003.00000002.542226366.0000000005D60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Jens Frodesen CV.exe, 00000003.00000002.542986660.0000000005DC0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Jens Frodesen CV.exe, 00000003.00000002.542908530.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Jens Frodesen CV.exe, 00000003.00000002.542908530.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: Jens Frodesen CV.exe, 00000003.00000002.548413055.0000000007070000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Jens Frodesen CV.exe, 00000003.00000002.542387318.0000000005D70000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Jens Frodesen CV.exe, 00000003.00000003.486665310.0000000006A38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Jens Frodesen CV.exe, 00000003.00000002.549521024.0000000007100000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Jens Frodesen CV.exe, 00000003.00000002.548343986.0000000007060000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Jens Frodesen CV.exe, 00000003.00000002.548343986.0000000007060000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: Jens Frodesen CV.exe, 00000003.00000002.548639274.0000000007090000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 0000001C.00000002.405231773.0000000003391000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 0000001C.00000002.405231773.0000000003391000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 0000001C.00000002.411921875.0000000004408000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 0000001C.00000002.411921875.0000000004408000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HApplicationBaseMicrosoft.VisualBasic.ApplicationServicesUserConversionsMicrosoft.VisualBasic.CompilerServicesObjectFlowControlOperatorsProjectDataStandardModuleAttributeComputerMicrosoft.VisualBasic.DevicesHideModuleNameAttributeMyGroupCollectionAttributeContextValue`1Microsoft.VisualBasic.MyServices.InternalClientInvokeDelegateNanoCoreIClientDataNanoCore.ClientPluginIClientNetworkIClientDataHostNanoCore.ClientPluginHostIClientLoggingHostIClientNetworkHostIClientUIHostIClientNameObjectCollectionIClientReadOnlyNameObjectCollectionActivatorAppDomainArgumentOutOfRangeExceptionArrayAsyncCallbackBitConverterBooleanBufferByteCharCLSCompliantAttributeGeneratedCodeAttributeSystem.CodeDom.CompilerDictionary`2System.Collections.GenericEnumeratorIEnumerable`1KeyValuePair`2List`1IEnumeratorSystem.CollectionsEditorBrowsableAttributeSystem.ComponentModelEditorBrowsableStateApplicationSettingsBaseSystem.ConfigurationSettingsBaseDateTimeDateTimeKindDelegateDebuggerDis
Source: dhcpmon.exe, 0000001C.00000002.411534974.00000000043EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 0000001C.00000002.411534974.00000000043EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HApplicationBaseMicrosoft.VisualBasic.ApplicationServicesUserConversionsMicrosoft.VisualBasic.CompilerServicesObjectFlowControlOperatorsProjectDataStandardModuleAttributeComputerMicrosoft.VisualBasic.DevicesHideModuleNameAttributeMyGroupCollectionAttributeContextValue`1Microsoft.VisualBasic.MyServices.InternalClientInvokeDelegateNanoCoreIClientDataNanoCore.ClientPluginIClientNetworkIClientDataHostNanoCore.ClientPluginHostIClientLoggingHostIClientNetworkHostIClientUIHostIClientNameObjectCollectionIClientReadOnlyNameObjectCollectionActivatorAppDomainArgumentOutOfRangeExceptionArrayAsyncCallbackBitConverterBooleanBufferByteCharCLSCompliantAttributeGeneratedCodeAttributeSystem.CodeDom.CompilerDictionary`2System.Collections.GenericEnumeratorIEnumerable`1KeyValuePair`2List`1IEnumeratorSystem.CollectionsEditorBrowsableAttributeSystem.ComponentModelEditorBrowsableStateApplicationSettingsBaseSystem.ConfigurationSettingsBaseDateTimeDateTimeKind
Source: dhcpmon.exe, 0000001C.00000002.410904877.00000000043DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 0000001C.00000002.410904877.00000000043DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Jens Frodesen CV.exe, 0000001D.00000002.405844203.0000000003101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Jens Frodesen CV.exe, 0000001D.00000002.405844203.0000000003101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.4015710.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.Jens Frodesen CV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Jens Frodesen CV.exe.4009ec0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.6150000.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.3eafd3a.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.3eb9199.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Jens Frodesen CV.exe.4246338.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.3eb4b70.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.3eb4b70.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.6154629.25.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.6150000.26.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.4015710.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.40108da.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Jens Frodesen CV.exe.4019d39.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Jens Frodesen CV.exe.4246338.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.278495402.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.544737083.0000000006150000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.405231773.0000000003391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.286466691.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.405844203.0000000003101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.535141648.0000000003EAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.290258767.00000000041C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Jens Frodesen CV.exe PID: 2932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jens Frodesen CV.exe PID: 5344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 3104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jens Frodesen CV.exe PID: 4720, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	112 Process Injection	2 Masquerading	21 Input Capture	21 Security Software Discovery	Remote Services	21 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Remote Access Software	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	112 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	21 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Hidden Files and Directories	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	12 Software Packing	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Jens Frodesen CV.exe	60%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
Jens Frodesen CV.exe	57%	Virustotal		Browse
Jens Frodesen CV.exe	33%	Metadefender		Browse
Jens Frodesen CV.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\LrSEeB.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	60%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	57%	Virustotal		Browse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	33%	Metadefender		Browse
C:\Users\user\AppData\Roaming\LrSEeB.exe	60%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
C:\Users\user\AppData\Roaming\LrSEeB.exe	33%	Metadefender		Browse

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.0.Jens Frodesen CV.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7		Download File
3.2.Jens Frodesen CV.exe.6150000.26.unpack	100%	Avira	TR/NanoCore.fadte		Download File

Domains

Source	Detection	Scanner	Label	Link
brightnano1.ddns.net	14%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
brightnano1.ddns.net	14%	Virustotal		Browse
brightnano1.ddns.net	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
brightnano1.ddns.net	171.22.30.170	true	true	14%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
	true	Avira URL Cloud: safe	low
brightnano1.ddns.net	true	14%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://google.com	Jens Frodesen CV.exe, 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.536015397.0000000003F25000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.531321593.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.535141648.0000000003EAF000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.548413055.0000000007070000.00000004.08000000.00040000.00000000.sdmp	false		high
http://www.carterandcone.coml	Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000000.00000003.240997438.000000000123C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Jens Frodesen CV.exe, 00000000.00000002.282970188.0000000002F2B000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, Jens Frodesen CV.exe, 0000000C.00000002.370323682.0000000003421000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 0000000E.00000002.364394906.000000000310B000.00000004.00000800.00020000.00000000.sdmp, dhcpmon.exe, 00000014.00000002.398299174.00000000032C1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	Jens Frodesen CV.exe, 00000000.00000002.297402479.0000000006EF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
171.22.30.97	unknown	Germany		33657	CMCSUS	false
171.22.30.170	brightnano1.ddns.net	Germany		33657	CMCSUS	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	711362
Start date and time:	2022-09-28 04:10:25 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Jens Frodesen CV.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	42
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@32/15@7/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 38 Number of non-executed functions: 4
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 20.190.159.5, 20.190.159.72, 20.190.159.74, 40.126.31.64, 20.190.159.70, 20.190.159.3, 40.126.31.68, 20.190.159.69, 20.82.210.154
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, prda.aadg.msidentity.com, login.live.com, ctldl.windowsupdate.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, arc.msn.com, login.msa.msidentity.com, www.tm.a.prd.aadg.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:11:31	API Interceptor	813x Sleep call for process: Jens Frodesen CV.exe modified
04:11:42	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
04:11:44	Task Scheduler	Run new task: DHCP Monitor path: "C:\Users\user\Desktop\Jens Frodesen CV.exe" s>$(Arg0)
04:11:44	Task Scheduler	Run new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
04:12:05	API Interceptor	2x Sleep call for process: dhcpmon.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
171.22.30.97	remittance.exe	Get hash	malicious	Browse
171.22.30.97	RFQ23449.exe	Get hash	malicious	Browse
171.22.30.170	Jens Frodesen CV.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
brightnano1.ddns.net	Jens Frodesen CV.exe	Get hash	malicious	Browse	171.22.30.170
	remittance.exe	Get hash	malicious	Browse	171.22.30.97
	Re Remittance Advice.exe	Get hash	malicious	Browse	171.22.30.97
	RFQ23449.exe	Get hash	malicious	Browse	171.22.30.97
	SecuriteInfo.com.W32.AIDetectNet.01.22085.exe	Get hash	malicious	Browse	107.182.129.128
	SecuriteInfo.com.IL.Trojan.MSILZilla.22069.19688.exe	Get hash	malicious	Browse	107.182.129.128
	SecuriteInfo.com.W32.AIDetectNet.01.13156.exe	Get hash	malicious	Browse	107.182.129.128
	gfcytttt.exe	Get hash	malicious	Browse	107.182.129.128
	SecuriteInfo.com.W32.AIDetectNet.01.17432.exe	Get hash	malicious	Browse	105.112.217.248

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CMCSUS	FRT-2022-DDSP00001-B(01).exe	Get hash	malicious	Browse	81.161.229.148
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	41050#U00b780 swedbank#U00b7pdf.exe	Get hash	malicious	Browse	171.22.30.72
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	SecuriteInfo.com.Win32.DropperX-gen.17548.exe	Get hash	malicious	Browse	81.161.229.7
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	cnf14532432,pdf.vbs	Get hash	malicious	Browse	81.161.229.196
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106
	file.exe	Get hash	malicious	Browse	171.22.30.106

Process:	C:\Users\user\Desktop\Jens Frodesen CV.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1053184
Entropy (8bit):	6.863226854581627
Encrypted:	false
SSDEEP:	12288:kgqC2JPYZVj5taS55PO88JplF4HwjADqjJ5ndW+/Pi7gvkdCOVy/0BA+l6lhIiob:kg52p4J5tz688j4HojrIaE
MD5:	89197E451346ED5A3BA154F394948DE7
SHA1:	0E9D39EC84881CA095A9C1400D64EC586E983402
SHA-256:	DBAB1BF30E571BDDF1C21A19BEDEBFFD5A348145EA76ABDDC34A5172DF49AA3B
SHA-512:	F1C6BBDCB883E3DF94F497B5F7832A02AA455BEC92C680CD4DB0DDD9870E2AB3FBFB012C10B6E1983CDA81F3652C4878639E858D48E311394F8258D06D7E47B6
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 60% Antivirus: Virustotal, Detection: 57%, Browse Antivirus: Metadefender, Detection: 33%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<1c..............P..:...........X... ...`....@.. .......................`............@..................................W..K....`.. ....................@....................................................... ............... ..H............text...48... ...:.................. ..`.rsrc... ....`.......<..............@..@.reloc.......@......................@..B.................X......H.......`E...................+.............................................(&...&..('.....s(........s)........s........s+........s,........Z........o?...........&..(@....j..{....(...+}.....{....+.j..{....(...+}.....{....+.j..{....(...+}.....{....+.j..{....(...+}.....{....+....{......,.+.....,.rq..psB...z..\|....(...+...{......,.+.....,.rq..psB...z..\|....(...+...{......,.+.....,.rq..psB...z..\|....(...+...{......,.+.....,.rq..psB...z..\|....(...+&........".......*

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Jens Frodesen CV.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Jens Frodesen CV.exe.log

Download File

Process:	C:\Users\user\Desktop\Jens Frodesen CV.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
MD5:	69206D3AF7D6EFD08F4B4726998856D3
SHA1:	E778D4BF781F7712163CF5E2F5E7C15953E484CF
SHA-256:	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
SHA-512:	CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

Download File

Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
MD5:	69206D3AF7D6EFD08F4B4726998856D3
SHA1:	E778D4BF781F7712163CF5E2F5E7C15953E484CF
SHA-256:	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
SHA-512:	CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Temp\tmp476F.tmp

Download File

Process:	C:\Users\user\Desktop\Jens Frodesen CV.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1655
Entropy (8bit):	5.165507625778931
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/dp7hdMlNMFpdU/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBTtn:cbhH7MlNQ8/rydbz9I3YODOLNdq3f
MD5:	55D8D7A9509EE994B96E1EB880C39935
SHA1:	6A017D91DF07846CD90EB5CD160474E905DC06EC
SHA-256:	14A81BBC5132534A225A0B9EA5049B55F10CC24B8AB0B405ED21F3245B41A566
SHA-512:	29918549E4E46A74DFE8F9D99743A1FEA2A4EAD15943A8612AC530208075EE708DF9908E778494F8348C522BC4BBB9A2A3BC43B66B2D6D3A70031511F202679C
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAv

C:\Users\user\AppData\Local\Temp\tmp7194.tmp

Download File

Process:	C:\Users\user\Desktop\Jens Frodesen CV.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.096327253513791
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0a5xtn:cbk4oL600QydbQxIYODOLedq3Jj
MD5:	5CBFC2A6DBBF17C97F318924EF5050EA
SHA1:	BA8CBBA30078270B9F3FDA3D3D0FF559DBD1EB26
SHA-256:	A4834B80E5AF7B565790A6D7D6ADF22BE59655EE4912643C97CB5247348B8210
SHA-512:	098DCE276CA97CE47302002AABE396D6FA825F99DB1F4133D722AFA95E5C84A6343BAF818DCA11EC442170CFC7D904A31C57C857065445B77E6DCDAB0FFFF9F5
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmp75AC.tmp

Download File

Process:	C:\Users\user\Desktop\Jens Frodesen CV.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1310
Entropy (8bit):	5.109425792877704
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
MD5:	5C2F41CFC6F988C859DA7D727AC2B62A
SHA1:	68999C85FC7E37BAB9216E0099836D40D4545C1C
SHA-256:	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
SHA-512:	B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmpBFFB.tmp

Download File

Process:	C:\Users\user\Desktop\Jens Frodesen CV.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1655
Entropy (8bit):	5.165507625778931
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/dp7hdMlNMFpdU/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBTtn:cbhH7MlNQ8/rydbz9I3YODOLNdq3f
MD5:	55D8D7A9509EE994B96E1EB880C39935
SHA1:	6A017D91DF07846CD90EB5CD160474E905DC06EC
SHA-256:	14A81BBC5132534A225A0B9EA5049B55F10CC24B8AB0B405ED21F3245B41A566
SHA-512:	29918549E4E46A74DFE8F9D99743A1FEA2A4EAD15943A8612AC530208075EE708DF9908E778494F8348C522BC4BBB9A2A3BC43B66B2D6D3A70031511F202679C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAv

C:\Users\user\AppData\Local\Temp\tmpC1DF.tmp

Download File

Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1655
Entropy (8bit):	5.165507625778931
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/dp7hdMlNMFpdU/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBTtn:cbhH7MlNQ8/rydbz9I3YODOLNdq3f
MD5:	55D8D7A9509EE994B96E1EB880C39935
SHA1:	6A017D91DF07846CD90EB5CD160474E905DC06EC
SHA-256:	14A81BBC5132534A225A0B9EA5049B55F10CC24B8AB0B405ED21F3245B41A566
SHA-512:	29918549E4E46A74DFE8F9D99743A1FEA2A4EAD15943A8612AC530208075EE708DF9908E778494F8348C522BC4BBB9A2A3BC43B66B2D6D3A70031511F202679C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAv

C:\Users\user\AppData\Local\Temp\tmpE91E.tmp

Download File

Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1655
Entropy (8bit):	5.165507625778931
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/dp7hdMlNMFpdU/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBTtn:cbhH7MlNQ8/rydbz9I3YODOLNdq3f
MD5:	55D8D7A9509EE994B96E1EB880C39935
SHA1:	6A017D91DF07846CD90EB5CD160474E905DC06EC
SHA-256:	14A81BBC5132534A225A0B9EA5049B55F10CC24B8AB0B405ED21F3245B41A566
SHA-512:	29918549E4E46A74DFE8F9D99743A1FEA2A4EAD15943A8612AC530208075EE708DF9908E778494F8348C522BC4BBB9A2A3BC43B66B2D6D3A70031511F202679C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAv

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat

Download File

Process:	C:\Users\user\Desktop\Jens Frodesen CV.exe
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	7.024371743172393
Encrypted:	false
SSDEEP:	6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
MD5:	32D0AAE13696FF7F8AF33B2D22451028
SHA1:	EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
SHA-256:	5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
SHA-512:	1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Download File

Process:	C:\Users\user\Desktop\Jens Frodesen CV.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:Jdq:W
MD5:	957331451386AE435E3B86B0084CC12E
SHA1:	4612E788AAA86585B69B5FEA3592B3C62148BE7E
SHA-256:	B4CE45C0E6531694158D06FB628C97C2591C419C009772463F04BFF2C39CA7DB
SHA-512:	1418FD7FA9A1C8DBC593E690F0D8DC3F3E12956FCD97139EED7C69F46AB82715C548A13C2286CE84E8C1BCC46677CDBFC62AF9DE88E96267B1AC6216ED336470
Malicious:	true
Preview:	@..8B..H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat

Download File

Process:	C:\Users\user\Desktop\Jens Frodesen CV.exe
File Type:	data
Category:	modified
Size (bytes):	327432
Entropy (8bit):	7.99938831605763
Encrypted:	true
SSDEEP:	6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
MD5:	7E8F4A764B981D5B82D1CC49D341E9C6
SHA1:	D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
SHA-256:	0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
SHA-512:	880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
Malicious:	false
Preview:	pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...\|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.).....{B.[...y%...i.Q.<..xt.X..H.. ..HF7g...I.3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.\|i4...i...;O...n.?.,. ....v?.5}.OY@.dG\|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...\|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`\|.B....3.....I..o...u1..8i=.z.W..7

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat

Download File

Process:	C:\Users\user\Desktop\Jens Frodesen CV.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	47
Entropy (8bit):	4.027473159958119
Encrypted:	false
SSDEEP:	3:oN0naRRvuSKBsxiN:oNcSRy0iN
MD5:	73E6904F37156BBD5D7A3AE29190ABF2
SHA1:	DA061628C1D1BE6C8648A9F3A26ABAB6F273B8E6
SHA-256:	95727C1D0DD9664E84D3F23C5D499F4B050AFAE9045E3D362F8E47CBC2F3BECD
SHA-512:	1060C4516C7A0F336A53C3D60FACD4E0275885E42743CEEFC0849D55BD99278E1EC051E4033AF3A78675E42F52750932D4C6CE0EAA4B544CD055B8D7AB0615F4
Malicious:	false
Preview:	C:\Users\user\Desktop\Jens Frodesen CV.exe

C:\Users\user\AppData\Roaming\LrSEeB.exe

Download File

Process:	C:\Users\user\Desktop\Jens Frodesen CV.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1053184
Entropy (8bit):	6.863226854581627
Encrypted:	false
SSDEEP:	12288:kgqC2JPYZVj5taS55PO88JplF4HwjADqjJ5ndW+/Pi7gvkdCOVy/0BA+l6lhIiob:kg52p4J5tz688j4HojrIaE
MD5:	89197E451346ED5A3BA154F394948DE7
SHA1:	0E9D39EC84881CA095A9C1400D64EC586E983402
SHA-256:	DBAB1BF30E571BDDF1C21A19BEDEBFFD5A348145EA76ABDDC34A5172DF49AA3B
SHA-512:	F1C6BBDCB883E3DF94F497B5F7832A02AA455BEC92C680CD4DB0DDD9870E2AB3FBFB012C10B6E1983CDA81F3652C4878639E858D48E311394F8258D06D7E47B6
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 60% Antivirus: Metadefender, Detection: 33%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<1c..............P..:...........X... ...`....@.. .......................`............@..................................W..K....`.. ....................@....................................................... ............... ..H............text...48... ...:.................. ..`.rsrc... ....`.......<..............@..@.reloc.......@......................@..B.................X......H.......`E...................+.............................................(&...&..('.....s(........s)........s........s+........s,........Z........o?...........&..(@....j..{....(...+}.....{....+.j..{....(...+}.....{....+.j..{....(...+}.....{....+.j..{....(...+}.....{....+....{......,.+.....,.rq..psB...z..\|....(...+...{......,.+.....,.rq..psB...z..\|....(...+...{......,.+.....,.rq..psB...z..\|....(...+...{......,.+.....,.rq..psB...z..\|....(...+&........".......*

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.863226854581627
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Jens Frodesen CV.exe
File size:	1053184
MD5:	89197e451346ed5a3ba154f394948de7
SHA1:	0e9d39ec84881ca095a9c1400d64ec586e983402
SHA256:	dbab1bf30e571bddf1c21a19bedebffd5a348145ea76abddc34a5172df49aa3b
SHA512:	f1c6bbdcb883e3df94f497b5f7832a02aa455bec92c680cd4db0ddd9870e2ab3fbfb012c10b6e1983cda81f3652c4878639e858d48e311394f8258d06d7e47b6
SSDEEP:	12288:kgqC2JPYZVj5taS55PO88JplF4HwjADqjJ5ndW+/Pi7gvkdCOVy/0BA+l6lhIiob:kg52p4J5tz688j4HojrIaE
TLSH:	F125195831E6329EF46BC6B58FD87CF59A56F632431F5177607302898B2ED82CE90872
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<1c..............P..:...........X... ...`....@.. .......................`............@................................

File Icon


Icon Hash:	64f4d4dcdcdce4ec

Static PE Info

General

Entrypoint:	0x4f582e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x63313CDF [Mon Sep 26 05:47:11 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf57e0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf6000	0xd320	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x104000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xf3834	0xf3a00	False	0.6070470834402257	data	6.901351263212902	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xf6000	0xd320	0xd400	False	0.24318248820754718	data	4.756478683576001	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x104000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xf6280	0x176d	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0xf79f0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 0
RT_ICON	0xfbc18	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0
RT_ICON	0xfe1c0	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 0
RT_ICON	0xffc28	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0
RT_ICON	0x100cd0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0
RT_ICON	0x101658	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 0
RT_ICON	0x101d10	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0
RT_GROUP_ICON	0x102178	0x76	data
RT_VERSION	0x1021f0	0x314	data
RT_MANIFEST	0x102504	0xe15	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF, LF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.7171.22.30.1704973019892816766 09/28/22-04:13:14.999476	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49730	1989	192.168.2.7	171.22.30.170
192.168.2.7171.22.30.1704971619892816766 09/28/22-04:12:02.248719	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49716	1989	192.168.2.7	171.22.30.170
171.22.30.170192.168.2.71989497292841753 09/28/22-04:13:08.192973	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	1989	49729	171.22.30.170	192.168.2.7
171.22.30.170192.168.2.71989497142841753 09/28/22-04:11:48.761471	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	1989	49714	171.22.30.170	192.168.2.7
171.22.30.170192.168.2.71989497322841753 09/28/22-04:13:50.237286	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	1989	49732	171.22.30.170	192.168.2.7
192.168.2.7171.22.30.1704971419892816766 09/28/22-04:11:48.872256	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49714	1989	192.168.2.7	171.22.30.170
171.22.30.170192.168.2.71989497312841753 09/28/22-04:13:20.783532	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	1989	49731	171.22.30.170	192.168.2.7
192.168.2.7171.22.30.1704971519892816766 09/28/22-04:11:55.135716	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49715	1989	192.168.2.7	171.22.30.170

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 28, 2022 04:11:47.216166973 CEST	49714	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:11:47.244659901 CEST	1989	49714	171.22.30.170	192.168.2.7
Sep 28, 2022 04:11:47.244803905 CEST	49714	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:11:47.480103970 CEST	49714	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:11:47.561458111 CEST	1989	49714	171.22.30.170	192.168.2.7
Sep 28, 2022 04:11:47.841763973 CEST	49714	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:11:48.081073046 CEST	1989	49714	171.22.30.170	192.168.2.7
Sep 28, 2022 04:11:48.761471033 CEST	1989	49714	171.22.30.170	192.168.2.7
Sep 28, 2022 04:11:48.872256041 CEST	49714	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:11:48.970669985 CEST	1989	49714	171.22.30.170	192.168.2.7
Sep 28, 2022 04:11:49.853272915 CEST	49714	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:11:54.296312094 CEST	49715	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:11:54.323734999 CEST	1989	49715	171.22.30.170	192.168.2.7
Sep 28, 2022 04:11:54.323832989 CEST	49715	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:11:54.324443102 CEST	49715	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:11:54.454488039 CEST	1989	49715	171.22.30.170	192.168.2.7
Sep 28, 2022 04:11:55.135715961 CEST	49715	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:11:55.257941961 CEST	1989	49715	171.22.30.170	192.168.2.7
Sep 28, 2022 04:11:56.283302069 CEST	49715	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:12:00.608197927 CEST	49716	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:12:00.635656118 CEST	1989	49716	171.22.30.170	192.168.2.7
Sep 28, 2022 04:12:00.635793924 CEST	49716	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:12:00.636326075 CEST	49716	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:12:00.711595058 CEST	1989	49716	171.22.30.170	192.168.2.7
Sep 28, 2022 04:12:01.263540983 CEST	49716	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:12:01.411520004 CEST	1989	49716	171.22.30.170	192.168.2.7
Sep 28, 2022 04:12:02.248718977 CEST	49716	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:12:02.411017895 CEST	1989	49716	171.22.30.170	192.168.2.7
Sep 28, 2022 04:12:03.264863014 CEST	49716	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:12:07.453716993 CEST	49718	1989	192.168.2.7	171.22.30.97
Sep 28, 2022 04:12:10.477433920 CEST	49718	1989	192.168.2.7	171.22.30.97
Sep 28, 2022 04:12:16.587308884 CEST	49718	1989	192.168.2.7	171.22.30.97
Sep 28, 2022 04:12:28.212622881 CEST	49719	1989	192.168.2.7	171.22.30.97
Sep 28, 2022 04:12:31.197839975 CEST	49719	1989	192.168.2.7	171.22.30.97
Sep 28, 2022 04:12:37.198277950 CEST	49719	1989	192.168.2.7	171.22.30.97
Sep 28, 2022 04:12:49.280534029 CEST	49728	1989	192.168.2.7	171.22.30.97
Sep 28, 2022 04:12:52.387058973 CEST	49728	1989	192.168.2.7	171.22.30.97
Sep 28, 2022 04:12:58.387623072 CEST	49728	1989	192.168.2.7	171.22.30.97
Sep 28, 2022 04:13:08.045222998 CEST	49729	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:08.072586060 CEST	1989	49729	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:08.072699070 CEST	49729	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:08.073422909 CEST	49729	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:08.192972898 CEST	1989	49729	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:08.341450930 CEST	49729	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:08.724486113 CEST	1989	49729	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:08.736243010 CEST	49729	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:08.776987076 CEST	1989	49729	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:08.931526899 CEST	49729	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:08.998291969 CEST	49729	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:13.241271019 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:13.268585920 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:13.268773079 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:13.269579887 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:13.442826033 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:13.998595953 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:14.138187885 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:14.545727015 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:14.546179056 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:14.573961973 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:14.599947929 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:14.739052057 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:14.999475956 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.136562109 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.207856894 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.207937956 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.207983971 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.208033085 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.208065033 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.208122969 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.235377073 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.235421896 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.235445976 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.235471964 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.235495090 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.235518932 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.235543966 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.235569954 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.235621929 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.235687971 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.263062000 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.263102055 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.263119936 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.263139009 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.263158083 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.263175964 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.263194084 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.263212919 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.263231039 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.263248920 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.263267040 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.263283968 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.263290882 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.263300896 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.263319016 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.263336897 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.263401985 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.263453960 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.290501118 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.290541887 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.290563107 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.290581942 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.290600061 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.290617943 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.290635109 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.290640116 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.290654898 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.290677071 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.290683985 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.290695906 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.290697098 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.290710926 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.290716887 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.290735006 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.290752888 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.290771961 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.290772915 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.290791035 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.290795088 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.290807962 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.290826082 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.290826082 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.290843964 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.290862083 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.290864944 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.290896893 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.290916920 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.290935993 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.290950060 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.290955067 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.290973902 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.290977955 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.290992022 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.290996075 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.291054964 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.318521976 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.318562984 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.318587065 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.318610907 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.318634987 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.318655014 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.318658113 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.318684101 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.318695068 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.318707943 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.318716049 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.318733931 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.318756104 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.318758011 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.318782091 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.318795919 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.318804979 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.318830013 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.318851948 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.318870068 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.318892002 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.318897963 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.318929911 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.318954945 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.318978071 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.318995953 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.319000006 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.319022894 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.319036007 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.319045067 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.319060087 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.319067955 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.319091082 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.319117069 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.319128990 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.319140911 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.319155931 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.319164991 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.319195032 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.319226027 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.319235086 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.319259882 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.319262028 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.319284916 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.319308996 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.319320917 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.319331884 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.319355965 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.319377899 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.319379091 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.319402933 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.319422960 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.319425106 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.319449902 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.319468021 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.319473982 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.319497108 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.319516897 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.319520950 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.319545031 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.319566965 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.319586039 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.319591045 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.319611073 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.319613934 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.319638014 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.319659948 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.319680929 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.319685936 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.319709063 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.319709063 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.319734097 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.319753885 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.319756985 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.320574999 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.347090006 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.347136974 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.347157001 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.347174883 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.347193956 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.347217083 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.347235918 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.347254038 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.347271919 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.347290039 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.347307920 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.347326040 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.347342968 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.347361088 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.347583055 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.347583055 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.347583055 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.347583055 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.347719908 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.347758055 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.347783089 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.347807884 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.347831964 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.347832918 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.347857952 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.347882032 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.347893953 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.347904921 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.347929001 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.347935915 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.347953081 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.347976923 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.347976923 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.348000050 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.348009109 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.348022938 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.348047018 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.348068953 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.348073959 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.348092079 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.348115921 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.348126888 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.348139048 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.348165035 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.348167896 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.348189116 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.348201990 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.348213911 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.348237991 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.348262072 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.348262072 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.348287106 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.348313093 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.348319054 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.348336935 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.348361969 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.348366976 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.348390102 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.348392010 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.348414898 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.348439932 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.348448992 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.348464966 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.348489046 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.348507881 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.348514080 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.348539114 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.348543882 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.348562002 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.348586082 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.348589897 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.348661900 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.353765965 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.375734091 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.375773907 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.375839949 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.375849962 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.375865936 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.375895023 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.375905037 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.375926971 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.375973940 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.375997066 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.375996113 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.376020908 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.376077890 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.376121044 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.376131058 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.376131058 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.376148939 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.376173019 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.376202106 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.376220942 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.376226902 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.376250029 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.376274109 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.376302958 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.376316071 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.376339912 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.376362085 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.376378059 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.376396894 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.376414061 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.376435995 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.376465082 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.376487970 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.376511097 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.376553059 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.376554966 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.376596928 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.376624107 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.376636028 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.376660109 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.376683950 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.376724005 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.376724958 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.376744032 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.376763105 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.376785994 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.376812935 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.376825094 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.376847982 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.376873970 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.376887083 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.376909971 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.376933098 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.376971960 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.376975060 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.376992941 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.377016068 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.377029896 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.377029896 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.377038002 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.377060890 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.377078056 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.377082109 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.377104998 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.377125978 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.377130985 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.377149105 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.377170086 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.377171040 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.377192020 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.377233028 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.405237913 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.405272961 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.405365944 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.405385017 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.405404091 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.405424118 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.405441999 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.405446053 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.405462980 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.405482054 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.405499935 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.405519962 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.405538082 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.405555010 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.405564070 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.405564070 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.405575037 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.405586958 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.405595064 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.405612946 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.405632019 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.405649900 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.405668020 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.405668020 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.405668020 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.405689001 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.405704021 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.405719042 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.405738115 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.405751944 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.405766010 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.405780077 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.405793905 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.405812979 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.405826092 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.405841112 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.405848980 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.405848980 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.405848980 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.405859947 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.405874968 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.405890942 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.405909061 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.405910969 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.405930042 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.405949116 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.405962944 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.405981064 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.405981064 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.405981064 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.405994892 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.406008005 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.406012058 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.406025887 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.406044960 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.406063080 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.406080008 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.406097889 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.406097889 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.406097889 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.406115055 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.406133890 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.406132936 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.406155109 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.406163931 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.406172991 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.406191111 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.406202078 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.406234026 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.433883905 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.433933020 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.433960915 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.433986902 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.434012890 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.434040070 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.434053898 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.434067965 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.434106112 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.434119940 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.434145927 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.434156895 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.434195042 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.434209108 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.434228897 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.434263945 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.434274912 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.434300900 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.434335947 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.434349060 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.434370995 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.434406042 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.434441090 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.434454918 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.434477091 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.434489012 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.434511900 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.434545994 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.434556007 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.434581041 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.434614897 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.434649944 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.434660912 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.434684992 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.434694052 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.434721947 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.434772015 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:15.434775114 CEST	1989	49730	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:15.482672930 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:16.055910110 CEST	49730	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:20.643836021 CEST	49731	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:20.678610086 CEST	1989	49731	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:20.678926945 CEST	49731	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:20.682928085 CEST	49731	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:20.783531904 CEST	1989	49731	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:20.827610970 CEST	49731	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:21.410090923 CEST	49731	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:25.973526001 CEST	49732	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:26.000703096 CEST	1989	49732	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:26.000984907 CEST	49732	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:26.001482010 CEST	49732	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:26.141622066 CEST	1989	49732	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:28.288698912 CEST	1989	49732	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:28.288968086 CEST	49732	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:28.434674025 CEST	1989	49732	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:28.835153103 CEST	1989	49732	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:28.835879087 CEST	49732	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:28.932065964 CEST	1989	49732	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:29.105439901 CEST	1989	49732	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:29.117167950 CEST	49732	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:29.149656057 CEST	1989	49732	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:29.155787945 CEST	49732	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:29.183612108 CEST	1989	49732	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:29.183736086 CEST	49732	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:29.256184101 CEST	1989	49732	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:29.256278992 CEST	49732	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:29.432497978 CEST	1989	49732	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:29.432594061 CEST	49732	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:29.532272100 CEST	1989	49732	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:31.826893091 CEST	1989	49732	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:31.999679089 CEST	49732	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:33.494821072 CEST	1989	49732	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:33.687392950 CEST	49732	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:37.729382038 CEST	1989	49732	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:37.781380892 CEST	49732	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:43.653090000 CEST	1989	49732	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:43.703727007 CEST	49732	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:43.731108904 CEST	1989	49732	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:43.797451019 CEST	49732	1989	192.168.2.7	171.22.30.170
Sep 28, 2022 04:13:50.237286091 CEST	1989	49732	171.22.30.170	192.168.2.7
Sep 28, 2022 04:13:50.282743931 CEST	49732	1989	192.168.2.7	171.22.30.170

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 28, 2022 04:11:47.158247948 CEST	60326	53	192.168.2.7	8.8.8.8
Sep 28, 2022 04:11:47.179531097 CEST	53	60326	8.8.8.8	192.168.2.7
Sep 28, 2022 04:11:54.248167992 CEST	50835	53	192.168.2.7	8.8.8.8
Sep 28, 2022 04:11:54.269999981 CEST	53	50835	8.8.8.8	192.168.2.7
Sep 28, 2022 04:12:00.577048063 CEST	50505	53	192.168.2.7	8.8.8.8
Sep 28, 2022 04:12:00.594331980 CEST	53	50505	8.8.8.8	192.168.2.7
Sep 28, 2022 04:13:08.023263931 CEST	62679	53	192.168.2.7	8.8.8.8
Sep 28, 2022 04:13:08.043982029 CEST	53	62679	8.8.8.8	192.168.2.7
Sep 28, 2022 04:13:13.217652082 CEST	61392	53	192.168.2.7	8.8.8.8
Sep 28, 2022 04:13:13.238759041 CEST	53	61392	8.8.8.8	192.168.2.7
Sep 28, 2022 04:13:20.614382982 CEST	52104	53	192.168.2.7	8.8.8.8
Sep 28, 2022 04:13:20.634161949 CEST	53	52104	8.8.8.8	192.168.2.7
Sep 28, 2022 04:13:25.937551975 CEST	65356	53	192.168.2.7	8.8.8.8
Sep 28, 2022 04:13:25.958398104 CEST	53	65356	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 28, 2022 04:11:47.158247948 CEST	192.168.2.7	8.8.8.8	0x5858	Standard query (0)	brightnano1.ddns.net	A (IP address)	IN (0x0001)	false
Sep 28, 2022 04:11:54.248167992 CEST	192.168.2.7	8.8.8.8	0xa4be	Standard query (0)	brightnano1.ddns.net	A (IP address)	IN (0x0001)	false
Sep 28, 2022 04:12:00.577048063 CEST	192.168.2.7	8.8.8.8	0xb457	Standard query (0)	brightnano1.ddns.net	A (IP address)	IN (0x0001)	false
Sep 28, 2022 04:13:08.023263931 CEST	192.168.2.7	8.8.8.8	0x1871	Standard query (0)	brightnano1.ddns.net	A (IP address)	IN (0x0001)	false
Sep 28, 2022 04:13:13.217652082 CEST	192.168.2.7	8.8.8.8	0xf480	Standard query (0)	brightnano1.ddns.net	A (IP address)	IN (0x0001)	false
Sep 28, 2022 04:13:20.614382982 CEST	192.168.2.7	8.8.8.8	0x35d3	Standard query (0)	brightnano1.ddns.net	A (IP address)	IN (0x0001)	false
Sep 28, 2022 04:13:25.937551975 CEST	192.168.2.7	8.8.8.8	0xdcfb	Standard query (0)	brightnano1.ddns.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Sep 28, 2022 04:11:47.179531097 CEST	8.8.8.8	192.168.2.7	0x5858	No error (0)	brightnano1.ddns.net	171.22.30.170	A (IP address)	IN (0x0001)	false
Sep 28, 2022 04:11:54.269999981 CEST	8.8.8.8	192.168.2.7	0xa4be	No error (0)	brightnano1.ddns.net	171.22.30.170	A (IP address)	IN (0x0001)	false
Sep 28, 2022 04:12:00.594331980 CEST	8.8.8.8	192.168.2.7	0xb457	No error (0)	brightnano1.ddns.net	171.22.30.170	A (IP address)	IN (0x0001)	false
Sep 28, 2022 04:13:08.043982029 CEST	8.8.8.8	192.168.2.7	0x1871	No error (0)	brightnano1.ddns.net	171.22.30.170	A (IP address)	IN (0x0001)	false
Sep 28, 2022 04:13:13.238759041 CEST	8.8.8.8	192.168.2.7	0xf480	No error (0)	brightnano1.ddns.net	171.22.30.170	A (IP address)	IN (0x0001)	false
Sep 28, 2022 04:13:20.634161949 CEST	8.8.8.8	192.168.2.7	0x35d3	No error (0)	brightnano1.ddns.net	171.22.30.170	A (IP address)	IN (0x0001)	false
Sep 28, 2022 04:13:25.958398104 CEST	8.8.8.8	192.168.2.7	0xdcfb	No error (0)	brightnano1.ddns.net	171.22.30.170	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	04:11:17
Start date:	28/09/2022
Path:	C:\Users\user\Desktop\Jens Frodesen CV.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Jens Frodesen CV.exe"
Imagebase:	0x930000
File size:	1053184 bytes
MD5 hash:	89197E451346ED5A3BA154F394948DE7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.286466691.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.286466691.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.286466691.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.286466691.0000000003EF9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.290258767.00000000041C1000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.290258767.00000000041C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.290258767.00000000041C1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.290258767.00000000041C1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	04:11:38
Start date:	28/09/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LrSEeB" /XML "C:\Users\user\AppData\Local\Temp\tmp476F.tmp
Imagebase:	0x12c0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	2
Start time:	04:11:38
Start date:	28/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	3
Start time:	04:11:38
Start date:	28/09/2022
Path:	C:\Users\user\Desktop\Jens Frodesen CV.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x610000
File size:	1053184 bytes
MD5 hash:	89197E451346ED5A3BA154F394948DE7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.544223992.0000000005DD0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.544223992.0000000005DD0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.544223992.0000000005DD0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.544223992.0000000005DD0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.548893461.00000000070B0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.548893461.00000000070B0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.548893461.00000000070B0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.548893461.00000000070B0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000003.00000002.536015397.0000000003F25000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.536015397.0000000003F25000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.518836400.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000000.278495402.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000000.278495402.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000003.00000000.278495402.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000000.278495402.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000003.00000002.526400449.0000000002E2B000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.526400449.0000000002E2B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.544737083.0000000006150000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.544737083.0000000006150000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.544737083.0000000006150000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.544737083.0000000006150000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.544737083.0000000006150000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.537384357.0000000004010000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.541798909.0000000005400000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.541798909.0000000005400000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.541798909.0000000005400000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.541798909.0000000005400000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.548537445.0000000007080000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.548537445.0000000007080000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.548537445.0000000007080000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.548537445.0000000007080000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000003.00000002.531321593.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.531321593.0000000003CDF000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.549029017.00000000070C0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.549029017.00000000070C0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.549029017.00000000070C0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.549029017.00000000070C0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.542986660.0000000005DC0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.542986660.0000000005DC0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.542986660.0000000005DC0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.542986660.0000000005DC0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.542226366.0000000005D60000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.542226366.0000000005D60000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.542226366.0000000005D60000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.542226366.0000000005D60000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.548413055.0000000007070000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.548413055.0000000007070000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.548413055.0000000007070000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.548413055.0000000007070000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.542387318.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.542387318.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.542387318.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.542387318.0000000005D70000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000003.486665310.0000000006A38000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.542908530.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.542908530.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.542908530.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.542908530.0000000005DB0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.549521024.0000000007100000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.549521024.0000000007100000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.549521024.0000000007100000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.549521024.0000000007100000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.548343986.0000000007060000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.548343986.0000000007060000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.548343986.0000000007060000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.548343986.0000000007060000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.535141648.0000000003EAF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000003.00000002.535141648.0000000003EAF000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.535141648.0000000003EAF000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.548639274.0000000007090000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.548639274.0000000007090000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.548639274.0000000007090000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.548639274.0000000007090000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	5
Start time:	04:11:42
Start date:	28/09/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp7194.tmp
Imagebase:	0x12c0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	6
Start time:	04:11:42
Start date:	28/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	8
Start time:	04:11:43
Start date:	28/09/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp75AC.tmp
Imagebase:	0x12c0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	10
Start time:	04:11:43
Start date:	28/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	12
Start time:	04:11:44
Start date:	28/09/2022
Path:	C:\Users\user\Desktop\Jens Frodesen CV.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Jens Frodesen CV.exe" 0
Imagebase:	0xe80000
File size:	1053184 bytes
MD5 hash:	89197E451346ED5A3BA154F394948DE7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

Target ID:	14
Start time:	04:11:45
Start date:	28/09/2022
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Imagebase:	0xd30000
File size:	1053184 bytes
MD5 hash:	89197E451346ED5A3BA154F394948DE7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 60%, ReversingLabs Detection: 57%, Virustotal, Browse Detection: 33%, Metadefender, Browse
Reputation:	low

Show Windows behavior

Target ID:	20
Start time:	04:11:51
Start date:	28/09/2022
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Imagebase:	0xe10000
File size:	1053184 bytes
MD5 hash:	89197E451346ED5A3BA154F394948DE7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

Target ID:	22
Start time:	04:12:09
Start date:	28/09/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LrSEeB" /XML "C:\Users\user\AppData\Local\Temp\tmpBFFB.tmp
Imagebase:	0x12c0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	23
Start time:	04:12:12
Start date:	28/09/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LrSEeB" /XML "C:\Users\user\AppData\Local\Temp\tmpC1DF.tmp
Imagebase:	0x12c0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	24
Start time:	04:12:12
Start date:	28/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	25
Start time:	04:12:12
Start date:	28/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	27
Start time:	04:12:13
Start date:	28/09/2022
Path:	C:\Users\user\Desktop\Jens Frodesen CV.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0xf0000
File size:	1053184 bytes
MD5 hash:	89197E451346ED5A3BA154F394948DE7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	28
Start time:	04:12:14
Start date:	28/09/2022
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xfe0000
File size:	1053184 bytes
MD5 hash:	89197E451346ED5A3BA154F394948DE7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001C.00000002.411921875.0000000004408000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001C.00000002.405231773.0000000003391000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001C.00000002.405231773.0000000003391000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001C.00000002.405231773.0000000003391000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001C.00000002.411534974.00000000043EF000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001C.00000002.410904877.00000000043DB000.00000004.00000800.00020000.00000000.sdmp, Author: unknown

Show Windows behavior

Target ID:	29
Start time:	04:12:14
Start date:	28/09/2022
Path:	C:\Users\user\Desktop\Jens Frodesen CV.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xc70000
File size:	1053184 bytes
MD5 hash:	89197E451346ED5A3BA154F394948DE7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001D.00000002.405844203.0000000003101000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000001D.00000002.405844203.0000000003101000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001D.00000002.405844203.0000000003101000.00000004.00000800.00020000.00000000.sdmp, Author: unknown

Show Windows behavior

Target ID:	30
Start time:	04:12:20
Start date:	28/09/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LrSEeB" /XML "C:\Users\user\AppData\Local\Temp\tmpE91E.tmp
Imagebase:	0x12c0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	31
Start time:	04:12:21
Start date:	28/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6edaf0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	32
Start time:	04:12:23
Start date:	28/09/2022
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xd30000
File size:	1053184 bytes
MD5 hash:	89197E451346ED5A3BA154F394948DE7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET

Show Windows behavior

Execution Graph

Execution Coverage:	10.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	88
Total number of Limit Nodes:	6

Executed Functions

Function 0125BB21 Relevance: 6.1, APIs: 4, Instructions: 124
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0125BB90
GetCurrentThread.KERNEL32 ref: 0125BBCD
GetCurrentProcess.KERNEL32 ref: 0125BC0A
GetCurrentThreadId.KERNEL32 ref: 0125BC63

Memory Dump Source

Source File: 00000000.00000002.281420902.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1250000_Jens Frodesen CV.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 8ef7218da3c84381b142f753448a7610d36022269ce479f03049cd648f9fdaaf
Instruction ID: 0576ff1fffa95902fe56eb7c707364b1bc8fbc98837302623bb8e7f13f24fbaf
Opcode Fuzzy Hash: 8ef7218da3c84381b142f753448a7610d36022269ce479f03049cd648f9fdaaf
Instruction Fuzzy Hash: 0D5174B0D00249DFDB14CFAAD588BDEBBF1EF48314F248459E819A7350D7746884CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0125BB30 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0125BB90
GetCurrentThread.KERNEL32 ref: 0125BBCD
GetCurrentProcess.KERNEL32 ref: 0125BC0A
GetCurrentThreadId.KERNEL32 ref: 0125BC63

Memory Dump Source

Source File: 00000000.00000002.281420902.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1250000_Jens Frodesen CV.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: e04bc6d82f417410ca069a5406070f45afb95bc27e65925f18211957629caf5d
Instruction ID: caeb6d23a6c47392bec5d6cfccae76374ed066bd9ecf5d1b3a2c1386f57a3373
Opcode Fuzzy Hash: e04bc6d82f417410ca069a5406070f45afb95bc27e65925f18211957629caf5d
Instruction Fuzzy Hash: E25163B0E00249CFDB14CFAAD588BDEBBF1EF48308F248459E919A7350D7756884CB69

Uniqueness

Uniqueness Score: -1.00%

Function 01259830 Relevance: 1.7, APIs: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01259A76

Memory Dump Source

Source File: 00000000.00000002.281420902.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1250000_Jens Frodesen CV.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 824e7ef05bfa8e7d2ed740def2e570742b15b84b6962f0ce3aaad6b1b43bcfbb
Instruction ID: ef611ffb87d7e47b2344a5b5845adec3d9ff615c6911fb066c29d9cb2c8ebb54
Opcode Fuzzy Hash: 824e7ef05bfa8e7d2ed740def2e570742b15b84b6962f0ce3aaad6b1b43bcfbb
Instruction Fuzzy Hash: 18714770A10B06CFDB64DF6AD48475ABBF1FF88208F008A2DD55AD7A40D775E845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0125BD58 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0125BDDF

Memory Dump Source

Source File: 00000000.00000002.281420902.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1250000_Jens Frodesen CV.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1a2f15eb141c08647e1e3bc655ad736a95c8aaf48273c31427988e412155bc40
Instruction ID: cd1a43e2820905529e42512c97ff6576fb0eb118d7b37ef6ccc496462d1bec2c
Opcode Fuzzy Hash: 1a2f15eb141c08647e1e3bc655ad736a95c8aaf48273c31427988e412155bc40
Instruction Fuzzy Hash: D421E4B5900209AFDB10CFAAD884ADEFBF4FB48324F14801AE915A3310D374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 012592F0 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01259AF1,00000800,00000000,00000000), ref: 01259D02

Memory Dump Source

Source File: 00000000.00000002.281420902.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1250000_Jens Frodesen CV.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e440fccaac7beadf61fa84b716bc6720041e76da04d376a83b09851381542c20
Instruction ID: 4fba331e53c011550cd9dbca709cabc4bd030926f356cbef64e9a8486891cfae
Opcode Fuzzy Hash: e440fccaac7beadf61fa84b716bc6720041e76da04d376a83b09851381542c20
Instruction Fuzzy Hash: 8711E4B6914209DFDB10CF9AD884BDEFBF4EB88364F14842AD919A7200C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01259A10 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01259A76

Memory Dump Source

Source File: 00000000.00000002.281420902.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1250000_Jens Frodesen CV.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 18ec16ae0c14d4b315e99391f2c80b373005715bef76aa11ad5d671f1939aeeb
Instruction ID: ceeb56b300090ec9de0736c6f479a2cc8e8fb083755efd0a26758fb16d2515fa
Opcode Fuzzy Hash: 18ec16ae0c14d4b315e99391f2c80b373005715bef76aa11ad5d671f1939aeeb
Instruction Fuzzy Hash: 5B11C0B5D00249CBDF10CF9AD484BDEFBF4AB88224F14851AD969A7600C379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 011ED3B4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.281092433.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11ed000_Jens Frodesen CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f3f4b12f35f1fdfd088369577af67e6ac8986e220835637084cf6d9d7ad06ff
Instruction ID: 7221f3bcde253cbc1a1d0fef452f33a2c81f17cbe78c0419839e1e64b719075e
Opcode Fuzzy Hash: 5f3f4b12f35f1fdfd088369577af67e6ac8986e220835637084cf6d9d7ad06ff
Instruction Fuzzy Hash: 822148B1504604DFDF09CF94E8C8B66BBA5FB98324F24C569E9094B607C336E846C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 011FD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.281146591.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11fd000_Jens Frodesen CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 519e7f7d7ea042bc8aee11901f4c5706f052410fa0ae4a1f76525fa35562bf0c
Instruction ID: cc30d0b865b4b32ac4d14d080d22df8e3033ee23d3f8cb08f36e13f01e5eb7de
Opcode Fuzzy Hash: 519e7f7d7ea042bc8aee11901f4c5706f052410fa0ae4a1f76525fa35562bf0c
Instruction Fuzzy Hash: B42125B1504204DFDF19CF54E8C4B26BB65FB88354F24C66DDA094B246C336D847CA62

Uniqueness

Uniqueness Score: -1.00%

Function 011FD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.281146591.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11fd000_Jens Frodesen CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9720131469b6f950b7035f9eda001498aaaad5f3edd7d79e8b75f907e3f2dc6
Instruction ID: 5be2d6bbdf4e7c7c307534c54bb6b0016830f117e5914aaed2779965da3f9767
Opcode Fuzzy Hash: c9720131469b6f950b7035f9eda001498aaaad5f3edd7d79e8b75f907e3f2dc6
Instruction Fuzzy Hash: F5212CB5504204DFDF09CF94E9C4B36BB65FB84324F24C56DEA094B246C336D846CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 011FD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.281146591.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11fd000_Jens Frodesen CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c2b72f2b54ff745439c65828ffb8fbb6d8abb5fca9eb3cba9e2e478cd5faed8
Instruction ID: 0a6dcffbb633bf242c09f9dadff9b6c217e6f1ceb1d83c65b56a24c4e64593a8
Opcode Fuzzy Hash: 7c2b72f2b54ff745439c65828ffb8fbb6d8abb5fca9eb3cba9e2e478cd5faed8
Instruction Fuzzy Hash: 2721CF754083808FCB07CF24D990B15BF71EB46214F28C6EEC8488B667C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 011ED3AF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.281092433.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11ed000_Jens Frodesen CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7cc86b5ff79ce043c803af90b915b5d7a1ca48b01667a36e239ea52a940d4d9
Instruction ID: df95d68a02aa5f53e2dbab3ac8432801e73ec7bfff94d56de4d24c636af3a932
Opcode Fuzzy Hash: b7cc86b5ff79ce043c803af90b915b5d7a1ca48b01667a36e239ea52a940d4d9
Instruction Fuzzy Hash: 5811B1B6404680CFDF16CF54E9C4B56BFB1FB94324F28C6A9D8450BA16C336E456CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 011FD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.281146591.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11fd000_Jens Frodesen CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e48e4748a45bc7b91dcd6aa8ebc28c847b65a88b089b38da77094b7edb9447c
Instruction ID: cf7767cef8ac2cd944fd88bb510189cf52f072a80e4efc745f9b09dfc024650d
Opcode Fuzzy Hash: 4e48e4748a45bc7b91dcd6aa8ebc28c847b65a88b089b38da77094b7edb9447c
Instruction Fuzzy Hash: 3211BE79504280DFDF06CF54D5C4B25BB71FB84224F24C6AED9494B656C33AD44ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 011ED745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.281092433.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11ed000_Jens Frodesen CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e938d90e78e8d3e9dce2ca1745cd1ec1770a0f3f9928f6717d612d72773020
Instruction ID: 63e55a95505985b3c8e64d8bcb48686d4511650eb930e1cd3d76a2f007f24c50
Opcode Fuzzy Hash: a8e938d90e78e8d3e9dce2ca1745cd1ec1770a0f3f9928f6717d612d72773020
Instruction Fuzzy Hash: 1E014C71808B849EEB144BD5DCC8766FBD8DF4123CF09851AEE094B247C3349444C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 011ED744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.281092433.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11ed000_Jens Frodesen CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 006558d83c4f24dc29ee7b83ec7f309e2064d3554a7746f80320020b51662b5d
Instruction ID: 49edcd505fa4de9faa5f9383bbc7b2874482a287790f9e0f4c46b4b853e6adc0
Opcode Fuzzy Hash: 006558d83c4f24dc29ee7b83ec7f309e2064d3554a7746f80320020b51662b5d
Instruction Fuzzy Hash: 44F0C2714046849EEB158F5ADCC8B62FFE8EB81338F18C45AED084B287C3799844CBB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0125E8D8 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.281420902.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1250000_Jens Frodesen CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 736aac44d75c30d67bdf72f62a07282a2bc435bfd653407caa6cd7d47ce2bf33
Instruction ID: a82b58009639a228a0b6fdb7ff86ce28ed38754ea062239520f796824c41f7de
Opcode Fuzzy Hash: 736aac44d75c30d67bdf72f62a07282a2bc435bfd653407caa6cd7d47ce2bf33
Instruction Fuzzy Hash: 2812C4F1CD17468AD712DF65E8983A97BA0F7863A8FD04B08D2613BAD0D7B4116ACF44

Uniqueness

Uniqueness Score: -1.00%

Function 0125C64C Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.281420902.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1250000_Jens Frodesen CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cc058c031e0953848f10d4805e3b8866f2a5c0b98a5758395aad2d7245e617c
Instruction ID: 2e0bb9f50fcae73fcc363c77f117bc4b84e02b8d954c0f97f8f02beafdca1b19
Opcode Fuzzy Hash: 1cc058c031e0953848f10d4805e3b8866f2a5c0b98a5758395aad2d7245e617c
Instruction Fuzzy Hash: 67A18432E2021ACFCF15DFA5C8845EDBBB6FF85300B15856AED05BB221EB71A955CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0125E8C9 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.281420902.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1250000_Jens Frodesen CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6efc351e565eba3e670c393319888c7fb365c4d918c63e4a55b4b4e814757c9a
Instruction ID: e289af1a012dd82f0e51a8216e75ff21d1fbacd8d92c174db26519c495fb2ad9
Opcode Fuzzy Hash: 6efc351e565eba3e670c393319888c7fb365c4d918c63e4a55b4b4e814757c9a
Instruction Fuzzy Hash: 92C138F1CD17468BD712DF65E8883997BA1FB863A8F904B08D2613B6D0D7B4146ACF84

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Jens Frodesen CV.exePID: 5344, Parent PID: 2932COMMON

Execution Graph

Execution Coverage:	11.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	121
Total number of Limit Nodes:	7

Executed Functions

Function 0654C088 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.545270459.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6540000_Jens Frodesen CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa1c99908f109422ed20c0c75f071ef267533c6be9131c363566bdede124ca6
Instruction ID: bdac9f01e1393c2332c34fedc66a5c800f356b641911e56ca1e1f14c041a152d
Opcode Fuzzy Hash: 9fa1c99908f109422ed20c0c75f071ef267533c6be9131c363566bdede124ca6
Instruction Fuzzy Hash: 1D51F378E01208DFDB04DFA4D999AEDBBB2FB89314F10802AE805B73A5DB346945CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0654FD88 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.545270459.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6540000_Jens Frodesen CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf3a7fad64e3520439a170833e555854b23fd7c83b6bab9f9dd974f7a545c38a
Instruction ID: 74ea1c77a0e10aee41570728ca91f30917370281669e139953d47f3d337c3281
Opcode Fuzzy Hash: cf3a7fad64e3520439a170833e555854b23fd7c83b6bab9f9dd974f7a545c38a
Instruction Fuzzy Hash: D5110430E162148FDB45AFB9E5497EDBFB0FB8B21AF0494ABD004B3281CB344445CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0654FDC1 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.545270459.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6540000_Jens Frodesen CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96d2a6963e78c708d416337d2b5632b4f053cecd23558b1cb7174c993076c437
Instruction ID: 09e5ee7a3d8321b91b3179458ab38c57de2daa817cc1506c66c614d9bf7344d1
Opcode Fuzzy Hash: 96d2a6963e78c708d416337d2b5632b4f053cecd23558b1cb7174c993076c437
Instruction Fuzzy Hash: C301BC30E112048FDB059FB8E1593ECBFB0BB8A302F14646AD044B3241DB344495CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0654FDD0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.545270459.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6540000_Jens Frodesen CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63e67a18a46f91a71ca8da587a3e02222c662a8dfcb140a103f97b59277ae1a0
Instruction ID: fbed31fba50a38e22211059b8bafb199176a9e2eca1c7813b25bad7f2c7e666d
Opcode Fuzzy Hash: 63e67a18a46f91a71ca8da587a3e02222c662a8dfcb140a103f97b59277ae1a0
Instruction Fuzzy Hash: E5F0AF30E112189FDB44AFA9E5497EDBFB4FB8E316F14A46AE004B3281DB344954CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00F9B6C0 Relevance: 6.1, APIs: 4, Instructions: 126
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00F9B730
GetCurrentThread.KERNEL32 ref: 00F9B76D
GetCurrentProcess.KERNEL32 ref: 00F9B7AA
GetCurrentThreadId.KERNEL32 ref: 00F9B803

Memory Dump Source

Source File: 00000003.00000002.517359198.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f90000_Jens Frodesen CV.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 6aed5be007274f3524bb59920e5697c2399da72199d1280992f16f9dfde51411
Instruction ID: 8363bc932feb642af5262fb599d88aaa68342307ffdf2ce5f5af6ae0f507f483
Opcode Fuzzy Hash: 6aed5be007274f3524bb59920e5697c2399da72199d1280992f16f9dfde51411
Instruction Fuzzy Hash: 1C5163B0D002498FDB10CFA9E688BDEBBF0EF88314F24855AE419B7251C7759945CF66

Uniqueness

Uniqueness Score: -1.00%

Function 00F9B6D0 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00F9B730
GetCurrentThread.KERNEL32 ref: 00F9B76D
GetCurrentProcess.KERNEL32 ref: 00F9B7AA
GetCurrentThreadId.KERNEL32 ref: 00F9B803

Memory Dump Source

Source File: 00000003.00000002.517359198.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f90000_Jens Frodesen CV.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 1134206320e523c984d0dd785894241a4312c6a8a009cf8c43a076f73f3c7fa1
Instruction ID: fca004009271b6ba55e04077604aea34bfbbd82abf033c86c62b011fe8e0bfba
Opcode Fuzzy Hash: 1134206320e523c984d0dd785894241a4312c6a8a009cf8c43a076f73f3c7fa1
Instruction Fuzzy Hash: EB5143B0D002598FDB14CFAAE688BDEBBF1AF88314F248559E419B7350C7756844CF66

Uniqueness

Uniqueness Score: -1.00%

Function 00F993E8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00F9962E

Strings

HR, xrefs: 00F99566
HR, xrefs: 00F9958B

Memory Dump Source

Source File: 00000003.00000002.517359198.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f90000_Jens Frodesen CV.jbxd

Similarity

API ID: HandleModule
String ID: HR$HR
API String ID: 4139908857-4037001784
Opcode ID: a489732cc94e32a0817fab8903ebbcaf630d4238156eb9a6baf98d157069ff80
Instruction ID: d1839f1686412517bddf1e7b5e66918759261105f8e279f609c68d595bcdcb99
Opcode Fuzzy Hash: a489732cc94e32a0817fab8903ebbcaf630d4238156eb9a6baf98d157069ff80
Instruction Fuzzy Hash: 05714670A04B058FEB24DF29D4417AAB7F1FF88314F118A2ED48AD7A50DB75E846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06543738 Relevance: 1.7, APIs: 1, Instructions: 206
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.545270459.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6540000_Jens Frodesen CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fbcc93c22db6946500f1b3fb6adc53af445fc364ffeea456e3e6203bf00e033
Instruction ID: 4f8db8fb04661be86bd6a871b16e342e098e9035bbba7fc638b099599ed3b91b
Opcode Fuzzy Hash: 6fbcc93c22db6946500f1b3fb6adc53af445fc364ffeea456e3e6203bf00e033
Instruction Fuzzy Hash: 778188B1D04209CFDB10DFAAC8806DEFBB1FF89318F10852AD815AB260DB75A945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 065437E4 Relevance: 1.6, APIs: 1, Instructions: 141
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06543918

Memory Dump Source

Source File: 00000003.00000002.545270459.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6540000_Jens Frodesen CV.jbxd

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: 50aa0d133429f5fc613f8ad3547451ab2f1976ee167d88b8aa5cb0a8535e5ecc
Instruction ID: d608d8419f97ebfae1b56208ad875d23df843c8aa31ead6e172a000373e4beed
Opcode Fuzzy Hash: 50aa0d133429f5fc613f8ad3547451ab2f1976ee167d88b8aa5cb0a8535e5ecc
Instruction Fuzzy Hash: FD5123B1D002589FDB14DFA9C984BDDBBB1FF48318F14812AE819AB250DB75A846CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06541ADC Relevance: 1.6, APIs: 1, Instructions: 140
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DnsQuery_A.DNSAPI(?,?,?,?,?,?), ref: 06543918

Memory Dump Source

Source File: 00000003.00000002.545270459.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6540000_Jens Frodesen CV.jbxd

Similarity

API ID: Query_
String ID:
API String ID: 428220571-0
Opcode ID: 90219efdf59c6efc312f8d9eda6dd5890a2fe6cdaca866dbe2540e424660e17f
Instruction ID: a18495c6bedc3cf0321f746d1752b640aae5fcbe7ab8956dca7d43144b310ae5
Opcode Fuzzy Hash: 90219efdf59c6efc312f8d9eda6dd5890a2fe6cdaca866dbe2540e424660e17f
Instruction Fuzzy Hash: A75134B1C046589FDB14DFAAC884BDEBBB1FF48318F108129E814AB250DB75A845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00F9FBEC Relevance: 1.6, APIs: 1, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00F9FD0A

Memory Dump Source

Source File: 00000003.00000002.517359198.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f90000_Jens Frodesen CV.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: fb2434acf5784e1bec2ee1505118a16d9fa06d57dcfa331943c07ad978d030e4
Instruction ID: a21e9aca512391ae9f7e196954b3bf98b55247fbbfa1ecff4f54685f98f0ee2a
Opcode Fuzzy Hash: fb2434acf5784e1bec2ee1505118a16d9fa06d57dcfa331943c07ad978d030e4
Instruction Fuzzy Hash: A151AFB1D00249DFDF14CF99D884ADEBBB5FF88354F24812AE819AB210D775A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00F9FBF8 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00F9FD0A

Memory Dump Source

Source File: 00000003.00000002.517359198.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f90000_Jens Frodesen CV.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b44dfa431670e4498a787962c258e5d455a10118413c3bfaef8367767c44718e
Instruction ID: 2978351887e9d6c17c2e9283ad56c2513f1761a3d4536dae00ab19b9f6462c6d
Opcode Fuzzy Hash: b44dfa431670e4498a787962c258e5d455a10118413c3bfaef8367767c44718e
Instruction Fuzzy Hash: 7841AFB1D00349DFDF14CF99C884ADEBBB5BF88354F24812AE819AB210D775A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00F9BDC1 Relevance: 1.6, APIs: 1, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F9BD87

Memory Dump Source

Source File: 00000003.00000002.517359198.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f90000_Jens Frodesen CV.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c448a2ec2054993c1efc089329e6a103718470b3d24be5cdeb93a377002a0136
Instruction ID: 82630cb7fd9ab6ff87b17d72a8df87ee39314cfb8fd4aeaabb5326150afbc4f1
Opcode Fuzzy Hash: c448a2ec2054993c1efc089329e6a103718470b3d24be5cdeb93a377002a0136
Instruction Fuzzy Hash: B931BC38A40748CFE7019F30FA487A93BB2E78A706F00422AE9498B796CB741944DF11

Uniqueness

Uniqueness Score: -1.00%

Function 00F9BCF9 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F9BD87

Memory Dump Source

Source File: 00000003.00000002.517359198.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f90000_Jens Frodesen CV.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7edd247b98e4f4c1538412e6cfb1c9fd317d40d8b88f79ff978f2c6d63655183
Instruction ID: 2d90c1fe3e85e79f59d19eee4b3d18d5ca372201e88b3003aa1a744a14e35205
Opcode Fuzzy Hash: 7edd247b98e4f4c1538412e6cfb1c9fd317d40d8b88f79ff978f2c6d63655183
Instruction Fuzzy Hash: 8E21E4B5D00248AFDB10CFA9D584ADEFBF4EB48324F14801AE918A7310C379A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F9BD00 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F9BD87

Memory Dump Source

Source File: 00000003.00000002.517359198.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f90000_Jens Frodesen CV.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 95cccd21858c43b82ff5548e734b65f8a48f3c453ca6ad485b53c31f56048bc0
Instruction ID: 28dcf413cb1ec2525ad6d4a78a3c71e0b031d6cb854cfd366b4ea6077de5c0e1
Opcode Fuzzy Hash: 95cccd21858c43b82ff5548e734b65f8a48f3c453ca6ad485b53c31f56048bc0
Instruction Fuzzy Hash: DB21C6B5D002499FDB10CF99D584ADEFBF4EB48324F14841AE955A3310D378A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F98768 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00F996A9,00000800,00000000,00000000), ref: 00F998BA

Memory Dump Source

Source File: 00000003.00000002.517359198.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f90000_Jens Frodesen CV.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6dbd957a80991117bc6639ae604c8727871b9881dfcb5304b7eea14f96fedd95
Instruction ID: 839c4f7976832a4db831f0cf36c9ff606c92c733c219f339b8041ce75825c1de
Opcode Fuzzy Hash: 6dbd957a80991117bc6639ae604c8727871b9881dfcb5304b7eea14f96fedd95
Instruction Fuzzy Hash: 801144B2C042089FDB10CF9AC444BDEFBF4EB49324F05842ED519A7600C3B5A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F99849 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00F996A9,00000800,00000000,00000000), ref: 00F998BA

Memory Dump Source

Source File: 00000003.00000002.517359198.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f90000_Jens Frodesen CV.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e875997715bd812d1f13cc2b73f11220cca00e1fc6f534d831c4339e42a213ae
Instruction ID: bb57632f7e74dbc0e9270bc90f92525254fed873e969ee1ae61656150b15855f
Opcode Fuzzy Hash: e875997715bd812d1f13cc2b73f11220cca00e1fc6f534d831c4339e42a213ae
Instruction Fuzzy Hash: F41126B2C002099FDB10CF9AD444BDEFBF4EB49324F05842ED419A7600C379AA45CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F995C8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00F9962E

Memory Dump Source

Source File: 00000003.00000002.517359198.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f90000_Jens Frodesen CV.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 20fdadd9836744a358247d748aca24be6da081af9806a9171a0491c16bc5376c
Instruction ID: 0ae1e8a522b29bc4f75a018b3e940ac7dcdbad17543715649f377cfc03c06b82
Opcode Fuzzy Hash: 20fdadd9836744a358247d748aca24be6da081af9806a9171a0491c16bc5376c
Instruction Fuzzy Hash: 3011E0B6C042498FDB20CF9AD444BDEFBF4EF88324F15842AD419A7600C3B9A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F9FE38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 00F9FE9D

Memory Dump Source

Source File: 00000003.00000002.517359198.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f90000_Jens Frodesen CV.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: bf1fdd34e51fffbead8b7b193ef5e19c8bad9e2a848ad0e78279a9a365002ba0
Instruction ID: 93a79a40051b5e1b6c629afed3b6773eee116b44f20ad3d8583750b455a6ac26
Opcode Fuzzy Hash: bf1fdd34e51fffbead8b7b193ef5e19c8bad9e2a848ad0e78279a9a365002ba0
Instruction Fuzzy Hash: 871103B5C002499FDB10DF99D484BDEFBF4EB48324F10841AD959A7201C375A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F9FE40 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 00F9FE9D

Memory Dump Source

Source File: 00000003.00000002.517359198.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_f90000_Jens Frodesen CV.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: c2faf1edf831b9880b07b73ea8e839d7d1ca0f2b567266e6cb46044cb289b3b3
Instruction ID: ae1b78f017cd9c4bebde0f1696ef193f3ae2bf236b8d1bf125bd14f1fe32a4ae
Opcode Fuzzy Hash: c2faf1edf831b9880b07b73ea8e839d7d1ca0f2b567266e6cb46044cb289b3b3
Instruction Fuzzy Hash: CD1112B5C002489FDB10DF9AD488BDEFBF8EB48324F10841AD919A3300C378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EDD4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.516305235.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_edd000_Jens Frodesen CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c04a4a39c2d7eb23fb22106af24d3c85dc7112ca78e9495c53896f1be904b174
Instruction ID: 0260350ddf6dddfc71b6d998061883730a722dd17ea54fc2ba4a9b4c7beb5d3e
Opcode Fuzzy Hash: c04a4a39c2d7eb23fb22106af24d3c85dc7112ca78e9495c53896f1be904b174
Instruction Fuzzy Hash: 4F2137B1508244DFDB11CF54EDC0F66BF65FB98328F24856AE9095B306C336D856CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00EED01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.516522310.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eed000_Jens Frodesen CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ad8888853db55b5594ddd40a6a9d05fa9fa4850b07dc2f68ea83bf56929597c
Instruction ID: fa9da1b3a4e1e490069d4b47d6e123ea7d68a6fb8f1879e724a7e6a7acdf39e5
Opcode Fuzzy Hash: 6ad8888853db55b5594ddd40a6a9d05fa9fa4850b07dc2f68ea83bf56929597c
Instruction Fuzzy Hash: 9A2134B1508388DFCB10CF11DCC4B66BB66FB88328F28C969D8095B246C33BD847CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00EED005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.516522310.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_eed000_Jens Frodesen CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26f3863f6d13e3a3c82d5b816e8ff929d87c2a6d25caf12fb8ebde86ac4440a1
Instruction ID: 5deeee28b4bb55744393200aa8aaaa702cb0c4f5eb15eb5674788189be1e3c28
Opcode Fuzzy Hash: 26f3863f6d13e3a3c82d5b816e8ff929d87c2a6d25caf12fb8ebde86ac4440a1
Instruction Fuzzy Hash: 3021807550D3C48FDB02CF24D994715BF72EB46314F28C5EAD8498B697C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00EDD49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.516305235.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_edd000_Jens Frodesen CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7cc86b5ff79ce043c803af90b915b5d7a1ca48b01667a36e239ea52a940d4d9
Instruction ID: 791b3a90309bc50a763157073216ff9f765edb2656db00908100bd925b206e8b
Opcode Fuzzy Hash: b7cc86b5ff79ce043c803af90b915b5d7a1ca48b01667a36e239ea52a940d4d9
Instruction Fuzzy Hash: 6511B176808280DFDB12CF14E9C4B56BF71FB84328F2486AAD8051B716C336D856CBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0654FE36 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.545270459.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6540000_Jens Frodesen CV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84a8709ddd94724b8cb0a094ffba4c276dab0ec1852bf378de6eadc730987069
Instruction ID: 60fe4bc29326d463a858fa76c5600c51abbcf901ae4cf2ddbab4cc3feb3a99bb
Opcode Fuzzy Hash: 84a8709ddd94724b8cb0a094ffba4c276dab0ec1852bf378de6eadc730987069
Instruction Fuzzy Hash: 0CE0B635E15218ABCB40EFE8F5948EDB771FB8A265F006066E519B3201CB305854CF58

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Jens Frodesen CV.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

AV Detection

E-Banking Fraud

Persistence and Installation Behavior

Stealing of Sensitive Information

Remote Access Functionality

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Jens Frodesen CV.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

C:\Users\user\AppData\Local\Temp\tmp476F.tmp

C:\Users\user\AppData\Local\Temp\tmp7194.tmp

C:\Users\user\AppData\Local\Temp\tmp75AC.tmp

C:\Users\user\AppData\Local\Temp\tmpBFFB.tmp

C:\Users\user\AppData\Local\Temp\tmpC1DF.tmp

Windows Analysis Report
Jens Frodesen CV.exe