Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PhviZrlpkW.exe

Overview

General Information

Sample Name:PhviZrlpkW.exe
Analysis ID:798336
MD5:565044691fedb39980cb814dc26f9ebd
SHA1:d92f48359c385fd03a419e583495ead52428654e
SHA256:3a1c1eabfbe52d5a822e95462e730775ea9eef9d8d653f3a1ff6904378ad3e0c
Tags:exeNanoCoreRAT
Infos:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Detected Nanocore Rat
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Detected unpacking (creates a PE file in dynamic memory)
Snort IDS alert for network traffic
Maps a DLL or memory area into another process
.NET source code contains potential unpacker
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Drops PE files
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • PhviZrlpkW.exe (PID: 4624 cmdline: C:\Users\user\Desktop\PhviZrlpkW.exe MD5: 565044691FEDB39980CB814DC26F9EBD)
    • tchnhwrvi.exe (PID: 2120 cmdline: "C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Local\Temp\lcrizgqjcc.mo MD5: 64F982758878F6A97ED4B3D99CFBD371)
      • tchnhwrvi.exe (PID: 1312 cmdline: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe MD5: 64F982758878F6A97ED4B3D99CFBD371)
  • edpm.exe (PID: 2468 cmdline: "C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exe" "C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Loca MD5: 64F982758878F6A97ED4B3D99CFBD371)
    • WerFault.exe (PID: 1256 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 656 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • edpm.exe (PID: 5104 cmdline: "C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exe" "C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Loca MD5: 64F982758878F6A97ED4B3D99CFBD371)
    • WerFault.exe (PID: 3692 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 632 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "fc2f5233-89c0-4cab-99aa-8d389dd5", "Domain1": "thesopranos.duckdns.org", "Domain2": "thesopranos.duckdns.org", "Port": 1365, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xe91:$a: NanoCore
    • 0xeea:$a: NanoCore
    • 0xf27:$a: NanoCore
    • 0xfa0:$a: NanoCore
    • 0x1464b:$a: NanoCore
    • 0x14660:$a: NanoCore
    • 0x14695:$a: NanoCore
    • 0x222aa:$a: NanoCore
    • 0x222cf:$a: NanoCore
    • 0x22328:$a: NanoCore
    • 0x324c5:$a: NanoCore
    • 0x324eb:$a: NanoCore
    • 0x32547:$a: NanoCore
    • 0x3f39c:$a: NanoCore
    • 0x3f3f5:$a: NanoCore
    • 0x3f428:$a: NanoCore
    • 0x3f654:$a: NanoCore
    • 0x3f6d0:$a: NanoCore
    • 0x3fce9:$a: NanoCore
    • 0x3fe32:$a: NanoCore
    • 0x40306:$a: NanoCore
    00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
    • 0xf27:$a1: NanoCore.ClientPluginHost
    • 0x14695:$a1: NanoCore.ClientPluginHost
    • 0x222cf:$a1: NanoCore.ClientPluginHost
    • 0x324eb:$a1: NanoCore.ClientPluginHost
    • 0x3f654:$a1: NanoCore.ClientPluginHost
    • 0x45ba2:$a1: NanoCore.ClientPluginHost
    • 0x4bb73:$a1: NanoCore.ClientPluginHost
    • 0x555df:$a1: NanoCore.ClientPluginHost
    • 0x5fa0a:$a1: NanoCore.ClientPluginHost
    • 0x6a9e7:$a1: NanoCore.ClientPluginHost
    • 0xeea:$a2: NanoCore.ClientPlugin
    • 0x14660:$a2: NanoCore.ClientPlugin
    • 0x222aa:$a2: NanoCore.ClientPlugin
    • 0x324c5:$a2: NanoCore.ClientPlugin
    • 0x3f6d0:$a2: NanoCore.ClientPlugin
    • 0x45c1c:$a2: NanoCore.ClientPlugin
    • 0x4bbbd:$a2: NanoCore.ClientPlugin
    • 0x556c9:$a2: NanoCore.ClientPlugin
    • 0x5faaa:$a2: NanoCore.ClientPlugin
    • 0x6a9be:$a2: NanoCore.ClientPlugin
    • 0x12be:$b1: get_BuilderSettings
    00000002.00000002.564994074.0000000001587000.00000004.00000020.00020000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
    • 0x26455:$x1: NanoCore.ClientPluginHost
    • 0x26492:$x2: IClientNetworkHost
    • 0x29fc5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000002.00000002.564994074.0000000001587000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 100 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.tchnhwrvi.exe.4f14bbe.11.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
      • 0x170b:$x1: NanoCore.ClientPluginHost
      • 0x1725:$x2: IClientNetworkHost
      2.2.tchnhwrvi.exe.4f14bbe.11.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth (Nextron Systems)
      • 0x170b:$x2: NanoCore.ClientPluginHost
      • 0x34b6:$s4: PipeCreated
      • 0x16f8:$s5: IClientLoggingHost
      2.2.tchnhwrvi.exe.4f14bbe.11.unpackMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
      • 0x16e2:$x2: NanoCore.ClientPlugin
      • 0x170b:$x3: NanoCore.ClientPluginHost
      • 0x16d3:$i3: IClientNetwork
      • 0x16f8:$i6: IClientLoggingHost
      • 0x1725:$i7: IClientNetworkHost
      • 0x154e:$s1: ClientPlugin
      • 0x16eb:$s1: ClientPlugin
      2.2.tchnhwrvi.exe.4f14bbe.11.unpackWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
      • 0x170b:$a1: NanoCore.ClientPluginHost
      • 0x16e2:$a2: NanoCore.ClientPlugin
      • 0x3a54:$b7: LogClientException
      • 0x16f8:$b9: IClientLoggingHost
      2.2.tchnhwrvi.exe.73f0000.33.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
      • 0x8ba5:$x1: NanoCore.ClientPluginHost
      • 0x8bd2:$x2: IClientNetworkHost
      Click to see the 336 entries

      Sigma Signatures

      AV Detection

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe, ProcessId: 1312, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      E-Banking Fraud

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe, ProcessId: 1312, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Stealing of Sensitive Information

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe, ProcessId: 1312, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Remote Access Functionality

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe, ProcessId: 1312, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Snort Signatures

      Timestamp:192.168.2.4193.31.30.1384972613652816766 02/03/23-23:19:06.285273
      SID:2816766
      Source Port:49726
      Destination Port:1365
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4193.31.30.1384971313652816766 02/03/23-23:17:46.673206
      SID:2816766
      Source Port:49713
      Destination Port:1365
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4193.31.30.1384971813652816766 02/03/23-23:18:21.376630
      SID:2816766
      Source Port:49718
      Destination Port:1365
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4193.31.30.1384972113652816766 02/03/23-23:18:33.469715
      SID:2816766
      Source Port:49721
      Destination Port:1365
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4193.31.30.1384971613652816766 02/03/23-23:18:07.532553
      SID:2816766
      Source Port:49716
      Destination Port:1365
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4193.31.30.1384971413652816766 02/03/23-23:17:53.669627
      SID:2816766
      Source Port:49714
      Destination Port:1365
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4193.31.30.1384972313652816766 02/03/23-23:18:47.034655
      SID:2816766
      Source Port:49723
      Destination Port:1365
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:193.31.30.138192.168.2.41365497022810290 02/03/23-23:17:30.731633
      SID:2810290
      Source Port:1365
      Destination Port:49702
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4193.31.30.1384972513652816718 02/03/23-23:18:58.945928
      SID:2816718
      Source Port:49725
      Destination Port:1365
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4193.31.30.1384970213652816766 02/03/23-23:17:32.574212
      SID:2816766
      Source Port:49702
      Destination Port:1365
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4193.31.30.1384971713652816766 02/03/23-23:18:13.577404
      SID:2816766
      Source Port:49717
      Destination Port:1365
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4193.31.30.1384971413652816718 02/03/23-23:17:52.672539
      SID:2816718
      Source Port:49714
      Destination Port:1365
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4193.31.30.1384971213652816766 02/03/23-23:17:40.364031
      SID:2816766
      Source Port:49712
      Destination Port:1365
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4193.31.30.1384972213652816766 02/03/23-23:18:41.032521
      SID:2816766
      Source Port:49722
      Destination Port:1365
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4193.31.30.1384972513652816766 02/03/23-23:18:59.896530
      SID:2816766
      Source Port:49725
      Destination Port:1365
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4193.31.30.1384969313652816766 02/03/23-23:17:25.471865
      SID:2816766
      Source Port:49693
      Destination Port:1365
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4193.31.30.1384971513652816766 02/03/23-23:18:01.525116
      SID:2816766
      Source Port:49715
      Destination Port:1365
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4193.31.30.1384969113652816766 02/03/23-23:17:14.041382
      SID:2816766
      Source Port:49691
      Destination Port:1365
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4193.31.30.1384972013652816766 02/03/23-23:18:27.458779
      SID:2816766
      Source Port:49720
      Destination Port:1365
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4193.31.30.1384972413652816766 02/03/23-23:18:53.018271
      SID:2816766
      Source Port:49724
      Destination Port:1365
      Protocol:TCP
      Classtype:A Network Trojan was detected

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: PhviZrlpkW.exeReversingLabs: Detection: 57%
      Source: PhviZrlpkW.exeVirustotal: Detection: 52%Perma Link
      Antivirus detection for URL or domain
      Source: thesopranos.duckdns.orgAvira URL Cloud: Label: malware
      Multi AV Scanner detection for dropped file
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeReversingLabs: Detection: 65%
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeVirustotal: Detection: 52%Perma Link
      Source: C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exeReversingLabs: Detection: 65%
      Source: C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exeVirustotal: Detection: 52%Perma Link
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 1.2.tchnhwrvi.exe.b13658.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.441fa31.20.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.417058.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.159d2c8.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.5df4629.30.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.tchnhwrvi.exe.b00000.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.417058.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.5df0000.31.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.3290000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4e30ee8.19.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.3290000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.441b408.27.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4f8cc52.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4f91a88.22.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.5df0000.31.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.441b408.27.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4e35511.25.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.tchnhwrvi.exe.b13658.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4f91a88.22.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4d3ef95.14.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.400000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4406f6d.24.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4e30ee8.19.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.3330000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4e2c0b2.21.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4d32d61.13.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4d535c2.15.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.159d2c8.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.tchnhwrvi.exe.b00000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4f960b1.23.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.564994074.0000000001587000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.570983718.0000000005DF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.309024218.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.567185811.0000000004404000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.565935661.0000000003332000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.565592440.0000000003290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: tchnhwrvi.exe PID: 1312, type: MEMORYSTR
      Source: 2.2.tchnhwrvi.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 2.2.tchnhwrvi.exe.5df0000.31.unpackAvira: Label: TR/NanoCore.fadte
      Source: 2.2.tchnhwrvi.exe.441b408.27.unpackAvira: Label: TR/NanoCore.fadte
      Source: 2.2.tchnhwrvi.exe.3330000.5.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 00000002.00000002.567185811.0000000004404000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "fc2f5233-89c0-4cab-99aa-8d389dd5", "Domain1": "thesopranos.duckdns.org", "Domain2": "thesopranos.duckdns.org", "Port": 1365, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

      Compliance

      barindex
      Detected unpacking (creates a PE file in dynamic memory)
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeUnpacked PE file: 2.2.tchnhwrvi.exe.3330000.5.unpack
      Source: PhviZrlpkW.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: PhviZrlpkW.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: wntdll.pdbUGP source: tchnhwrvi.exe, 00000001.00000003.303187367.000000001AB50000.00000004.00001000.00020000.00000000.sdmp, tchnhwrvi.exe, 00000001.00000003.304084780.000000001A9C0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.571720723.0000000007590000.00000004.08000000.00040000.00000000.sdmp
      Source: Binary string: wntdll.pdb source: tchnhwrvi.exe, 00000001.00000003.303187367.000000001AB50000.00000004.00001000.00020000.00000000.sdmp, tchnhwrvi.exe, 00000001.00000003.304084780.000000001A9C0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: C:\xampp\htdocs\2efa81c4e6b34188a21ceb28fac598e4\Loader\Release\Loader.pdb source: PhviZrlpkW.exe, 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmp, PhviZrlpkW.exe, 00000000.00000002.314365455.0000000002859000.00000004.00000020.00020000.00000000.sdmp, tchnhwrvi.exe, 00000001.00000002.308809959.0000000000290000.00000002.00000001.01000000.00000004.sdmp, tchnhwrvi.exe, 00000001.00000000.299162939.0000000000290000.00000002.00000001.01000000.00000004.sdmp, tchnhwrvi.exe, 00000002.00000000.302278058.0000000000290000.00000002.00000001.01000000.00000004.sdmp, edpm.exe, 00000003.00000002.364296668.00000000001E0000.00000002.00000001.01000000.00000007.sdmp, edpm.exe, 00000003.00000000.330467592.00000000001E0000.00000002.00000001.01000000.00000007.sdmp, edpm.exe, 00000007.00000000.351397609.00000000001E0000.00000002.00000001.01000000.00000007.sdmp, edpm.exe, 00000007.00000002.364278841.00000000001E0000.00000002.00000001.01000000.00000007.sdmp, edpm.exe.1.dr, tchnhwrvi.exe.0.dr, nse83F1.tmp.0.dr
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.571761394.00000000075C0000.00000004.08000000.00040000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.571793197.00000000075E0000.00000004.08000000.00040000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.571671329.0000000007570000.00000004.08000000.00040000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.571773496.00000000075D0000.00000004.08000000.00040000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.571745163.00000000075B0000.00000004.08000000.00040000.00000000.sdmp
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeCode function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeCode function: 0_2_0040699E FindFirstFileW,FindClose,
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeCode function: 0_2_0040290B FindFirstFileW,
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_00406715 FindFirstFileExW,

      Networking

      barindex
      Snort IDS alert for network traffic
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49691 -> 193.31.30.138:1365
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49693 -> 193.31.30.138:1365
      Source: TrafficSnort IDS: 2810290 ETPRO TROJAN NanoCore RAT Keepalive Response 1 193.31.30.138:1365 -> 192.168.2.4:49702
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49702 -> 193.31.30.138:1365
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49712 -> 193.31.30.138:1365
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49713 -> 193.31.30.138:1365
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49714 -> 193.31.30.138:1365
      Source: TrafficSnort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.4:49714 -> 193.31.30.138:1365
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49715 -> 193.31.30.138:1365
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49716 -> 193.31.30.138:1365
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49717 -> 193.31.30.138:1365
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49718 -> 193.31.30.138:1365
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49720 -> 193.31.30.138:1365
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49721 -> 193.31.30.138:1365
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49722 -> 193.31.30.138:1365
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49723 -> 193.31.30.138:1365
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49724 -> 193.31.30.138:1365
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49725 -> 193.31.30.138:1365
      Source: TrafficSnort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.4:49725 -> 193.31.30.138:1365
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49726 -> 193.31.30.138:1365
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: thesopranos.duckdns.org
      Uses dynamic DNS services
      Source: unknownDNS query: name: thesopranos.duckdns.org
      Source: Joe Sandbox ViewASN Name: QUICKPACKETUS QUICKPACKETUS
      Source: global trafficTCP traffic: 192.168.2.4:49691 -> 193.31.30.138:1365
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.571773496.00000000075D0000.00000004.08000000.00040000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://google.com
      Source: PhviZrlpkW.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: tchnhwrvi.exe, 00000002.00000002.566066458.0000000003381000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: unknownDNS traffic detected: queries for: thesopranos.duckdns.org
      Source: tchnhwrvi.exe, 00000001.00000002.309098073.0000000000B8A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: RegisterRawInputDevices
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeCode function: 0_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

      E-Banking Fraud

      barindex
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 1.2.tchnhwrvi.exe.b13658.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.441fa31.20.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.417058.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.159d2c8.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.5df4629.30.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.tchnhwrvi.exe.b00000.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.417058.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.5df0000.31.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.3290000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4e30ee8.19.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.3290000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.441b408.27.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4f8cc52.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4f91a88.22.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.5df0000.31.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.441b408.27.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4e35511.25.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.tchnhwrvi.exe.b13658.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4f91a88.22.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4d3ef95.14.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.400000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4406f6d.24.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4e30ee8.19.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.3330000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4e2c0b2.21.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4d32d61.13.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4d535c2.15.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.159d2c8.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.tchnhwrvi.exe.b00000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4f960b1.23.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.564994074.0000000001587000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.570983718.0000000005DF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.309024218.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.567185811.0000000004404000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.565935661.0000000003332000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.565592440.0000000003290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: tchnhwrvi.exe PID: 1312, type: MEMORYSTR

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 2.2.tchnhwrvi.exe.4f14bbe.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.4f14bbe.11.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.4f14bbe.11.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.73f0000.33.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.73f0000.33.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.73f0000.33.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.43bc350.26.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.43bc350.26.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.43bc350.26.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.75b0000.36.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.75b0000.36.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.75b0000.36.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.7624c9f.42.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.7624c9f.42.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.7624c9f.42.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.75e0000.39.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.75e0000.39.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.75e0000.39.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.34111c0.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.34111c0.7.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.34111c0.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.7590000.35.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.7590000.35.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.7590000.35.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.4f0678e.18.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.4f0678e.18.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.4f0678e.18.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 1.2.tchnhwrvi.exe.b13658.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 1.2.tchnhwrvi.exe.b13658.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 1.2.tchnhwrvi.exe.b13658.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.tchnhwrvi.exe.b13658.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.441fa31.20.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.441fa31.20.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.441fa31.20.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.73f0000.33.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.73f0000.33.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.73f0000.33.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.7610000.41.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.7610000.41.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.7610000.41.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.417058.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.417058.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.417058.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.417058.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.159d2c8.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.159d2c8.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.159d2c8.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.159d2c8.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.5df4629.30.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 1.2.tchnhwrvi.exe.b00000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.5df4629.30.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.5df4629.30.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 1.2.tchnhwrvi.exe.b00000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 1.2.tchnhwrvi.exe.b00000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.tchnhwrvi.exe.b00000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.4d32d61.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.4d32d61.13.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.4d32d61.13.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.417058.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.417058.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.417058.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.417058.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.5df0000.31.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.7590000.35.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.7590000.35.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.7590000.35.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.5df0000.31.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.5df0000.31.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.75f0000.40.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.75f0000.40.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.75f0000.40.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.3290000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.3290000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.3290000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.3290000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.4efd95f.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.4efd95f.17.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.4efd95f.17.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.4efd95f.17.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.4f0678e.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.4f0678e.18.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.4f0678e.18.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.5bb0000.28.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.5bb0000.28.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.5bb0000.28.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.43cabf4.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.43cabf4.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.43cabf4.12.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.4e30ee8.19.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.4e30ee8.19.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.4e30ee8.19.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.3290000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.3290000.4.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.3290000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.3290000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.5e10000.32.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.5e10000.32.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.5e10000.32.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.7570000.34.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.7570000.34.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.7570000.34.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.7660000.45.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.7660000.45.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.7660000.45.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.441b408.27.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.441b408.27.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.441b408.27.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.75d0000.38.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.75d0000.38.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.75d0000.38.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.7660000.45.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.7660000.45.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.7660000.45.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.4d3ef95.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.4d3ef95.14.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.4d3ef95.14.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.75c0000.37.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.75c0000.37.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.75c0000.37.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.4f8cc52.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.4f8cc52.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.4f8cc52.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.4f91a88.22.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.4f91a88.22.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.4f91a88.22.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.43c0fef.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.43c0fef.16.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.43c0fef.16.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.7610000.41.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.7610000.41.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.7610000.41.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.5df0000.31.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.5df0000.31.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.5df0000.31.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.3404f78.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.3404f78.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.3404f78.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.3404f78.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.441b408.27.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.441b408.27.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.441b408.27.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.75e0000.39.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.75e0000.39.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.75e0000.39.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.4e35511.25.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.4e35511.25.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.4e35511.25.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.4e35511.25.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 1.2.tchnhwrvi.exe.b13658.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 1.2.tchnhwrvi.exe.b13658.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 1.2.tchnhwrvi.exe.b13658.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.tchnhwrvi.exe.b13658.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.4f91a88.22.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.4f91a88.22.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.4f91a88.22.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.4d3ef95.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.4d3ef95.14.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.4d3ef95.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.4d3ef95.14.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.34257fc.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.34257fc.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.34257fc.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.34257fc.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.7620000.43.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.7620000.43.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.7620000.43.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.7620000.43.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.762e8a4.44.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.762e8a4.44.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.762e8a4.44.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.4406f6d.24.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.4406f6d.24.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.4406f6d.24.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.4e30ee8.19.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.4e30ee8.19.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.4e30ee8.19.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.4e30ee8.19.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.75d0000.38.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.75d0000.38.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.75d0000.38.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.7620000.43.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.7620000.43.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.75f0000.40.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.75f0000.40.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.75f0000.40.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.3404f78.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.3404f78.8.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.3404f78.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.5e10000.32.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.5e10000.32.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.5e10000.32.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.43bc350.26.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.43bc350.26.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.43bc350.26.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.3330000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.3330000.5.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.3330000.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.3330000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.75b0000.36.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.75b0000.36.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.75b0000.36.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.4efd95f.17.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.4efd95f.17.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.4efd95f.17.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.4f14bbe.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.4f14bbe.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.4f14bbe.11.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.33ae240.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.33ae240.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.33ae240.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.34111c0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.34111c0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.34111c0.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.34111c0.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.4e2c0b2.21.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.4e2c0b2.21.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.4e2c0b2.21.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.4e2c0b2.21.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.4d32d61.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.4d32d61.13.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.4d32d61.13.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.4d32d61.13.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.4d535c2.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.4d535c2.15.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.4d535c2.15.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.4d535c2.15.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.159d2c8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.159d2c8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.159d2c8.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.159d2c8.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 1.2.tchnhwrvi.exe.b00000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 1.2.tchnhwrvi.exe.b00000.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 1.2.tchnhwrvi.exe.b00000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.tchnhwrvi.exe.b00000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.4f960b1.23.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.4f960b1.23.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.4f960b1.23.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.564994074.0000000001587000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000002.564994074.0000000001587000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.564994074.0000000001587000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.571891406.0000000007620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000002.571891406.0000000007620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000002.00000002.571891406.0000000007620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.571954055.0000000007660000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000002.571954055.0000000007660000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000002.00000002.571954055.0000000007660000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000003.317149940.0000000006A39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.571812469.00000000075F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000002.571812469.00000000075F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000002.00000002.571812469.00000000075F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.570983718.0000000005DF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000002.570983718.0000000005DF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000002.00000002.570983718.0000000005DF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.571761394.00000000075C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000002.571761394.00000000075C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000002.00000002.571761394.00000000075C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.571720723.0000000007590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000002.571720723.0000000007590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000002.00000002.571720723.0000000007590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.567185811.00000000043A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.571671329.0000000007570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000002.571671329.0000000007570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000002.00000002.571671329.0000000007570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000001.00000002.309024218.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000001.00000002.309024218.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000001.00000002.309024218.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.309024218.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.567185811.0000000004404000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.571793197.00000000075E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000002.571793197.00000000075E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000002.00000002.571793197.00000000075E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.571026013.0000000005E10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000002.571026013.0000000005E10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000002.00000002.571026013.0000000005E10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.571773496.00000000075D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000002.571773496.00000000075D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000002.00000002.571773496.00000000075D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.571597397.00000000073F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000002.571597397.00000000073F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000002.00000002.571597397.00000000073F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.565935661.0000000003332000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000002.565935661.0000000003332000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.565935661.0000000003332000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.571745163.00000000075B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000002.571745163.00000000075B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000002.00000002.571745163.00000000075B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.566066458.0000000003381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.571864347.0000000007610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000002.571864347.0000000007610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000002.00000002.571864347.0000000007610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.570873526.0000000005BB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000002.570873526.0000000005BB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000002.00000002.570873526.0000000005BB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.567185811.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.567185811.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.565592440.0000000003290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000002.565592440.0000000003290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000002.00000002.565592440.0000000003290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.565592440.0000000003290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: tchnhwrvi.exe PID: 1312, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: Process Memory Space: tchnhwrvi.exe PID: 1312, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: tchnhwrvi.exe PID: 1312, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: PhviZrlpkW.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: 2.2.tchnhwrvi.exe.4f14bbe.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4f14bbe.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4f14bbe.11.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.4f14bbe.11.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.73f0000.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.73f0000.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.73f0000.33.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.73f0000.33.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.43bc350.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.43bc350.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.43bc350.26.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.43bc350.26.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.75b0000.36.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.75b0000.36.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.75b0000.36.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.75b0000.36.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.7624c9f.42.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.7624c9f.42.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.7624c9f.42.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.7624c9f.42.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.75e0000.39.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.75e0000.39.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.75e0000.39.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.75e0000.39.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.34111c0.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.34111c0.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.34111c0.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.34111c0.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.7590000.35.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.7590000.35.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.7590000.35.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.7590000.35.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.4f0678e.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4f0678e.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4f0678e.18.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.4f0678e.18.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 1.2.tchnhwrvi.exe.b13658.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 1.2.tchnhwrvi.exe.b13658.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 1.2.tchnhwrvi.exe.b13658.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 1.2.tchnhwrvi.exe.b13658.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.tchnhwrvi.exe.b13658.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.441fa31.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.441fa31.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.441fa31.20.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.441fa31.20.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.73f0000.33.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.73f0000.33.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.73f0000.33.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.73f0000.33.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.7610000.41.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.7610000.41.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.7610000.41.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.7610000.41.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.417058.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.417058.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.417058.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.417058.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.417058.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.159d2c8.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.159d2c8.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.159d2c8.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.159d2c8.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.159d2c8.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.5df4629.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.5df4629.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 1.2.tchnhwrvi.exe.b00000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 1.2.tchnhwrvi.exe.b00000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.5df4629.30.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.5df4629.30.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 1.2.tchnhwrvi.exe.b00000.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 1.2.tchnhwrvi.exe.b00000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.tchnhwrvi.exe.b00000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.4d32d61.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4d32d61.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4d32d61.13.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.4d32d61.13.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.417058.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.417058.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.417058.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.417058.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.417058.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.5df0000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.5df0000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.7590000.35.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.7590000.35.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.7590000.35.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.7590000.35.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.5df0000.31.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.5df0000.31.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.75f0000.40.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.75f0000.40.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.75f0000.40.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.75f0000.40.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.3290000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.3290000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.3290000.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.3290000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.3290000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.4efd95f.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4efd95f.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4efd95f.17.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.4efd95f.17.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.4efd95f.17.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.4f0678e.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4f0678e.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4f0678e.18.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.4f0678e.18.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.5bb0000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.5bb0000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.5bb0000.28.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.5bb0000.28.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.43cabf4.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.43cabf4.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.43cabf4.12.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.43cabf4.12.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.4e30ee8.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4e30ee8.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4e30ee8.19.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.4e30ee8.19.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.3290000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.3290000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.3290000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.3290000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.3290000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.5e10000.32.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.5e10000.32.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.5e10000.32.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.5e10000.32.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.7570000.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.7570000.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.7570000.34.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.7570000.34.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.7660000.45.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.7660000.45.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.7660000.45.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.7660000.45.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.441b408.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.441b408.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.441b408.27.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.441b408.27.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.75d0000.38.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.75d0000.38.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.75d0000.38.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.75d0000.38.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.7660000.45.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.7660000.45.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.7660000.45.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.7660000.45.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.4d3ef95.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4d3ef95.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4d3ef95.14.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.4d3ef95.14.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.75c0000.37.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.75c0000.37.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.75c0000.37.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.75c0000.37.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.4f8cc52.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.4f8cc52.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.4f8cc52.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.4f91a88.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4f91a88.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4f91a88.22.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.4f91a88.22.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.43c0fef.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.43c0fef.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.43c0fef.16.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.43c0fef.16.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.7610000.41.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.7610000.41.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.7610000.41.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.7610000.41.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.5df0000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.5df0000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.5df0000.31.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.5df0000.31.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.3404f78.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.3404f78.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.3404f78.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.3404f78.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.441b408.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.441b408.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.441b408.27.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.441b408.27.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.75e0000.39.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.75e0000.39.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.75e0000.39.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.75e0000.39.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.4e35511.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4e35511.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4e35511.25.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.4e35511.25.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.4e35511.25.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 1.2.tchnhwrvi.exe.b13658.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 1.2.tchnhwrvi.exe.b13658.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 1.2.tchnhwrvi.exe.b13658.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 1.2.tchnhwrvi.exe.b13658.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.tchnhwrvi.exe.b13658.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.4f91a88.22.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.4f91a88.22.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.4f91a88.22.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.4d3ef95.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4d3ef95.14.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.4d3ef95.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.4d3ef95.14.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.34257fc.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.34257fc.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.34257fc.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.34257fc.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.7620000.43.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.7620000.43.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.7620000.43.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.7620000.43.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.7620000.43.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.7620000.43.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.762e8a4.44.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.762e8a4.44.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.762e8a4.44.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.762e8a4.44.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4406f6d.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4406f6d.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4406f6d.24.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.4406f6d.24.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.4e30ee8.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4e30ee8.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4e30ee8.19.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.4e30ee8.19.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.4e30ee8.19.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.75d0000.38.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.75d0000.38.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.75d0000.38.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.75d0000.38.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.7620000.43.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.7620000.43.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.75f0000.40.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.75f0000.40.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.75f0000.40.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.75f0000.40.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.3404f78.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.3404f78.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.3404f78.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.3404f78.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.5e10000.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.5e10000.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.5e10000.32.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.5e10000.32.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.43bc350.26.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.43bc350.26.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.43bc350.26.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.43bc350.26.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.3330000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.3330000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.3330000.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.3330000.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.3330000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.75b0000.36.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.75b0000.36.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.75b0000.36.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.75b0000.36.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.4efd95f.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4efd95f.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4efd95f.17.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.4efd95f.17.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.4f14bbe.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4f14bbe.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4f14bbe.11.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.4f14bbe.11.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.33ae240.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.33ae240.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.33ae240.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.33ae240.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.34111c0.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.34111c0.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.34111c0.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.34111c0.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.4e2c0b2.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4e2c0b2.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4e2c0b2.21.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.4e2c0b2.21.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.4e2c0b2.21.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.4d32d61.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4d32d61.13.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.4d32d61.13.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.4d32d61.13.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.4d535c2.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4d535c2.15.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.4d535c2.15.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.4d535c2.15.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.159d2c8.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.159d2c8.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.159d2c8.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.159d2c8.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.159d2c8.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 1.2.tchnhwrvi.exe.b00000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 1.2.tchnhwrvi.exe.b00000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 1.2.tchnhwrvi.exe.b00000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 1.2.tchnhwrvi.exe.b00000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.tchnhwrvi.exe.b00000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.4f960b1.23.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.4f960b1.23.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.4f960b1.23.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.564994074.0000000001587000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.564994074.0000000001587000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.564994074.0000000001587000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.571891406.0000000007620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571891406.0000000007620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571891406.0000000007620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000002.00000002.571891406.0000000007620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.571954055.0000000007660000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571954055.0000000007660000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571954055.0000000007660000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000002.00000002.571954055.0000000007660000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000003.317149940.0000000006A39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.571812469.00000000075F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571812469.00000000075F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571812469.00000000075F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000002.00000002.571812469.00000000075F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.570983718.0000000005DF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.570983718.0000000005DF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.570983718.0000000005DF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000002.00000002.570983718.0000000005DF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.571761394.00000000075C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571761394.00000000075C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571761394.00000000075C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000002.00000002.571761394.00000000075C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.571720723.0000000007590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571720723.0000000007590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571720723.0000000007590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000002.00000002.571720723.0000000007590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.567185811.00000000043A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.571671329.0000000007570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571671329.0000000007570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571671329.0000000007570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000002.00000002.571671329.0000000007570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000001.00000002.309024218.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000001.00000002.309024218.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000001.00000002.309024218.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000001.00000002.309024218.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.309024218.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.567185811.0000000004404000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.571793197.00000000075E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571793197.00000000075E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571793197.00000000075E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000002.00000002.571793197.00000000075E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.571026013.0000000005E10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571026013.0000000005E10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571026013.0000000005E10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000002.00000002.571026013.0000000005E10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.571773496.00000000075D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571773496.00000000075D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571773496.00000000075D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000002.00000002.571773496.00000000075D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.571597397.00000000073F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571597397.00000000073F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571597397.00000000073F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000002.00000002.571597397.00000000073F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.565935661.0000000003332000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.565935661.0000000003332000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.565935661.0000000003332000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.571745163.00000000075B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571745163.00000000075B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571745163.00000000075B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000002.00000002.571745163.00000000075B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.566066458.0000000003381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.571864347.0000000007610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571864347.0000000007610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571864347.0000000007610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000002.00000002.571864347.0000000007610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.570873526.0000000005BB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.570873526.0000000005BB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.570873526.0000000005BB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000002.00000002.570873526.0000000005BB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.567185811.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.567185811.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.565592440.0000000003290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.565592440.0000000003290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.565592440.0000000003290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000002.00000002.565592440.0000000003290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.565592440.0000000003290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: tchnhwrvi.exe PID: 1312, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: Process Memory Space: tchnhwrvi.exe PID: 1312, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: tchnhwrvi.exe PID: 1312, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 656
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeCode function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeCode function: 0_2_00406D5F
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 1_2_0028E63C
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 1_2_0028DA0F
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 1_2_0028D4BE
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 1_2_0028DF60
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 1_2_0028F374
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 1_2_005F0F9C
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 1_2_005F122C
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_0028E63C
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_0028DA0F
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_0028D4BE
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_0028DF60
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_0028F374
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_0040CBD1
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_07671400
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_07663324
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_076642EB
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_076646D3
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_0319E470
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_0319E480
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_0319BBD4
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: String function: 00286EDB appears 34 times
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: String function: 00401EE0 appears 33 times
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: String function: 00283D50 appears 58 times
      Source: PhviZrlpkW.exeReversingLabs: Detection: 57%
      Source: PhviZrlpkW.exeVirustotal: Detection: 52%
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeFile read: C:\Users\user\Desktop\PhviZrlpkW.exeJump to behavior
      Source: PhviZrlpkW.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: unknownProcess created: C:\Users\user\Desktop\PhviZrlpkW.exe C:\Users\user\Desktop\PhviZrlpkW.exe
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeProcess created: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe "C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Local\Temp\lcrizgqjcc.mo
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess created: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exe "C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exe" "C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Loca
      Source: C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 656
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exe "C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exe" "C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Loca
      Source: C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 632
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeProcess created: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe "C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Local\Temp\lcrizgqjcc.mo
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess created: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeCode function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeFile created: C:\Users\user\AppData\Roaming\ovawcpafrwkJump to behavior
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeFile created: C:\Users\user\AppData\Local\Temp\nsu83B2.tmpJump to behavior
      Source: classification engineClassification label: mal100.troj.evad.winEXE@9/17@17/1
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeCode function: 0_2_004021AA CoCreateInstance,
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeCode function: 0_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{fc2f5233-89c0-4cab-99aa-8d389dd5dffd}
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5104
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2468
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_0040147B GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCommand line argument: GetTickCount
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCommand line argument: Kernel32.dll
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCommand line argument: Sleep
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCommand line argument: Kernel32.dll
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCommand line argument: VirtualAlloc
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCommand line argument: Kernel32.dll
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCommand line argument: Notepad
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCommand line argument: Notepad
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCommand line argument: Notepad
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCommand line argument: GetTickCount
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCommand line argument: Kernel32.dll
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCommand line argument: Sleep
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCommand line argument: Kernel32.dll
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCommand line argument: VirtualAlloc
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCommand line argument: Kernel32.dll
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCommand line argument: Notepad
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCommand line argument: Notepad
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCommand line argument: Notepad
      Source: 2.2.tchnhwrvi.exe.3330000.5.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 2.2.tchnhwrvi.exe.3330000.5.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 2.2.tchnhwrvi.exe.3330000.5.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
      Source: PhviZrlpkW.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: wntdll.pdbUGP source: tchnhwrvi.exe, 00000001.00000003.303187367.000000001AB50000.00000004.00001000.00020000.00000000.sdmp, tchnhwrvi.exe, 00000001.00000003.304084780.000000001A9C0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.571720723.0000000007590000.00000004.08000000.00040000.00000000.sdmp
      Source: Binary string: wntdll.pdb source: tchnhwrvi.exe, 00000001.00000003.303187367.000000001AB50000.00000004.00001000.00020000.00000000.sdmp, tchnhwrvi.exe, 00000001.00000003.304084780.000000001A9C0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: C:\xampp\htdocs\2efa81c4e6b34188a21ceb28fac598e4\Loader\Release\Loader.pdb source: PhviZrlpkW.exe, 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmp, PhviZrlpkW.exe, 00000000.00000002.314365455.0000000002859000.00000004.00000020.00020000.00000000.sdmp, tchnhwrvi.exe, 00000001.00000002.308809959.0000000000290000.00000002.00000001.01000000.00000004.sdmp, tchnhwrvi.exe, 00000001.00000000.299162939.0000000000290000.00000002.00000001.01000000.00000004.sdmp, tchnhwrvi.exe, 00000002.00000000.302278058.0000000000290000.00000002.00000001.01000000.00000004.sdmp, edpm.exe, 00000003.00000002.364296668.00000000001E0000.00000002.00000001.01000000.00000007.sdmp, edpm.exe, 00000003.00000000.330467592.00000000001E0000.00000002.00000001.01000000.00000007.sdmp, edpm.exe, 00000007.00000000.351397609.00000000001E0000.00000002.00000001.01000000.00000007.sdmp, edpm.exe, 00000007.00000002.364278841.00000000001E0000.00000002.00000001.01000000.00000007.sdmp, edpm.exe.1.dr, tchnhwrvi.exe.0.dr, nse83F1.tmp.0.dr
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.571761394.00000000075C0000.00000004.08000000.00040000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.571793197.00000000075E0000.00000004.08000000.00040000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.571671329.0000000007570000.00000004.08000000.00040000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.571773496.00000000075D0000.00000004.08000000.00040000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.571745163.00000000075B0000.00000004.08000000.00040000.00000000.sdmp

      Data Obfuscation

      barindex
      Detected unpacking (creates a PE file in dynamic memory)
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeUnpacked PE file: 2.2.tchnhwrvi.exe.3330000.5.unpack
      .NET source code contains potential unpacker
      Source: 2.2.tchnhwrvi.exe.3330000.5.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 2.2.tchnhwrvi.exe.3330000.5.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 1_2_00283D95 push ecx; ret
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_00283D95 push ecx; ret
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_0040D2E1 push ecx; ret
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 1_2_0028A192 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
      Source: 2.2.tchnhwrvi.exe.3330000.5.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 2.2.tchnhwrvi.exe.3330000.5.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeFile created: C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exeJump to dropped file
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeFile created: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run rorscojuxnJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run rorscojuxnJump to behavior

      Hooking and other Techniques for Hiding and Protection

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeFile opened: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe:Zone.Identifier read attributes | delete
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion

      barindex
      Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe TID: 6068Thread sleep time: -7378697629483816s >= -30000s
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWindow / User API: threadDelayed 8834
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWindow / User API: foregroundWindowGot 885
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWindow / User API: foregroundWindowGot 785
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeAPI coverage: 4.0 %
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 1_2_005F0EBF GetSystemInfo,
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeCode function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeCode function: 0_2_0040699E FindFirstFileW,FindClose,
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeCode function: 0_2_0040290B FindFirstFileW,
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_00406715 FindFirstFileExW,
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeAPI call chain: ExitProcess graph end node
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeAPI call chain: ExitProcess graph end node
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeAPI call chain: ExitProcess graph end node
      Source: tchnhwrvi.exe, 00000002.00000002.564994074.000000000160B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 1_2_00283B2B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 1_2_0028A192 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 1_2_00282200 lstrlenW,SendMessageW,SendMessageW,GetWindowTextLengthW,GetProcessHeap,HeapAlloc,GetWindowTextW,SendMessageW,GetProcessHeap,GetProcessHeap,HeapFree,SendMessageW,SendMessageW,GetWindowTextLengthW,GetProcessHeap,HeapAlloc,SendMessageW,
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 1_2_005F005F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 1_2_005F017B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 1_2_005F0109 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 1_2_005F013E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exeProcess queried: DebugPort
      Source: C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exeProcess queried: DebugPort
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeMemory allocated: page read and write | page guard
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 1_2_00283B2B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 1_2_00285D3D SetUnhandledExceptionFilter,
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 1_2_002879C4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_00283B2B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_00285D3D SetUnhandledExceptionFilter,
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_002879C4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_00401E16 SetUnhandledExceptionFilter,
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_00401C83 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_004060A4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_00401F2A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Maps a DLL or memory area into another process
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeSection loaded: unknown target: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe protection: execute and read and write
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess created: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe
      Source: tchnhwrvi.exe, 00000002.00000002.566066458.0000000003954000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.566066458.00000000039CF000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.566066458.00000000034FE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
      Source: tchnhwrvi.exe, 00000002.00000002.571114508.00000000067DB000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Managerram Managerp
      Source: tchnhwrvi.exe, 00000002.00000002.571585442.000000000722C000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Managerram Manager
      Source: tchnhwrvi.exe, 00000002.00000002.571150741.000000000691A000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Managerp
      Source: tchnhwrvi.exe, 00000002.00000002.566066458.00000000034FE000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.566066458.000000000389C000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.566066458.00000000037C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerX
      Source: tchnhwrvi.exe, 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managerx
      Source: tchnhwrvi.exe, 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managert
      Source: tchnhwrvi.exe, 00000002.00000002.572120377.0000000007AEC000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Manager?
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_0040207B cpuid
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 1_2_00286BEA GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeCode function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

      Stealing of Sensitive Information

      barindex
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 1.2.tchnhwrvi.exe.b13658.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.441fa31.20.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.417058.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.159d2c8.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.5df4629.30.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.tchnhwrvi.exe.b00000.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.417058.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.5df0000.31.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.3290000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4e30ee8.19.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.3290000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.441b408.27.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4f8cc52.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4f91a88.22.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.5df0000.31.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.441b408.27.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4e35511.25.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.tchnhwrvi.exe.b13658.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4f91a88.22.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4d3ef95.14.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.400000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4406f6d.24.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4e30ee8.19.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.3330000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4e2c0b2.21.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4d32d61.13.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4d535c2.15.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.159d2c8.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.tchnhwrvi.exe.b00000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4f960b1.23.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.564994074.0000000001587000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.570983718.0000000005DF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.309024218.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.567185811.0000000004404000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.565935661.0000000003332000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.565592440.0000000003290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: tchnhwrvi.exe PID: 1312, type: MEMORYSTR

      Remote Access Functionality

      barindex
      Detected Nanocore Rat
      Source: tchnhwrvi.exeString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
      Source: tchnhwrvi.exe, 00000002.00000002.564994074.0000000001587000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.571891406.0000000007620000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.571954055.0000000007660000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: tchnhwrvi.exe, 00000002.00000003.317149940.0000000006A39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.571812469.00000000075F0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
      Source: tchnhwrvi.exe, 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
      Source: tchnhwrvi.exe, 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
      Source: tchnhwrvi.exe, 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
      Source: tchnhwrvi.exe, 00000002.00000002.571761394.00000000075C0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.571761394.00000000075C0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
      Source: tchnhwrvi.exe, 00000002.00000002.571720723.0000000007590000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.00000000043A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.571671329.0000000007570000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.571671329.0000000007570000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004404000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.566066458.0000000003381000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.566066458.0000000003381000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: tchnhwrvi.exe, 00000002.00000002.571793197.00000000075E0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.571793197.00000000075E0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
      Source: tchnhwrvi.exe, 00000002.00000002.571773496.00000000075D0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.571597397.00000000073F0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.565935661.0000000003332000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.571745163.00000000075B0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.571745163.00000000075B0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
      Source: tchnhwrvi.exe, 00000002.00000002.571864347.0000000007610000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
      Source: tchnhwrvi.exe, 00000002.00000002.565592440.0000000003290000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 1.2.tchnhwrvi.exe.b13658.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.441fa31.20.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.417058.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.159d2c8.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.5df4629.30.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.tchnhwrvi.exe.b00000.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.417058.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.5df0000.31.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.3290000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4e30ee8.19.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.3290000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.441b408.27.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4f8cc52.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4f91a88.22.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.5df0000.31.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.441b408.27.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4e35511.25.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.tchnhwrvi.exe.b13658.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4f91a88.22.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4d3ef95.14.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.400000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4406f6d.24.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4e30ee8.19.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.3330000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4e2c0b2.21.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4d32d61.13.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4d535c2.15.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.159d2c8.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.tchnhwrvi.exe.b00000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4f960b1.23.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.564994074.0000000001587000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.570983718.0000000005DF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.309024218.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.567185811.0000000004404000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.565935661.0000000003332000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.565592440.0000000003290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: tchnhwrvi.exe PID: 1312, type: MEMORYSTR

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts1
      Windows Management Instrumentation      		1
      Registry Run Keys / Startup Folder      		1
      Access Token Manipulation      		1
      Disable or Modify Tools      		21
      Input Capture      		1
      System Time Discovery      		Remote Services11
      Archive Collected Data      		Exfiltration Over Other Network Medium1
      Encrypted Channel      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
      System Shutdown/Reboot
      Default Accounts12
      Native API      		Boot or Logon Initialization Scripts112
      Process Injection      		11
      Deobfuscate/Decode Files or Information      		LSASS Memory2
      File and Directory Discovery      		Remote Desktop Protocol21
      Input Capture      		Exfiltration Over Bluetooth1
      Non-Standard Port      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain Accounts2
      Command and Scripting Interpreter      		Logon Script (Windows)1
      Registry Run Keys / Startup Folder      		2
      Obfuscated Files or Information      		Security Account Manager26
      System Information Discovery      		SMB/Windows Admin Shares1
      Clipboard Data      		Automated Exfiltration1
      Remote Access Software      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)21
      Software Packing      		NTDS141
      Security Software Discovery      		Distributed Component Object ModelInput CaptureScheduled Transfer1
      Non-Application Layer Protocol      		SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
      Masquerading      		LSA Secrets2
      Process Discovery      		SSHKeyloggingData Transfer Size Limits21
      Application Layer Protocol      		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.common31
      Virtualization/Sandbox Evasion      		Cached Domain Credentials31
      Virtualization/Sandbox Evasion      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup Items1
      Access Token Manipulation      		DCSync1
      Application Window Discovery      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job112
      Process Injection      		Proc Filesystem1
      Remote System Discovery      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
      Hidden Files and Directories      		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 798336 Sample: PhviZrlpkW.exe Startdate: 03/02/2023 Architecture: WINDOWS Score: 100 44 Snort IDS alert for network traffic 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for URL or domain 2->48 50 7 other signatures 2->50 7 PhviZrlpkW.exe 19 2->7         started        10 edpm.exe 2->10         started        13 edpm.exe 2->13         started        process3 file4 28 C:\Users\user\AppData\Local\...\tchnhwrvi.exe, PE32 7->28 dropped 15 tchnhwrvi.exe 1 2 7->15         started        54 Multi AV Scanner detection for dropped file 10->54 19 WerFault.exe 4 10 10->19         started        21 WerFault.exe 10 13->21         started        signatures5 process6 file7 32 C:\Users\user\AppData\Roaming\...\edpm.exe, PE32 15->32 dropped 36 Multi AV Scanner detection for dropped file 15->36 38 Detected unpacking (creates a PE file in dynamic memory) 15->38 40 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 15->40 42 Maps a DLL or memory area into another process 15->42 23 tchnhwrvi.exe 9 15->23         started        signatures8 process9 dnsIp10 34 thesopranos.duckdns.org 193.31.30.138, 1365, 49691, 49693 QUICKPACKETUS United Kingdom 23->34 30 C:\Users\user\AppData\Roaming\...\run.dat, data 23->30 dropped 52 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->52 file11 signatures12

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      PhviZrlpkW.exe58%ReversingLabsWin32.Trojan.Nsisx
      PhviZrlpkW.exe53%VirustotalBrowse

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe65%ReversingLabsWin32.Trojan.NSISInject
      C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe52%VirustotalBrowse
      C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exe65%ReversingLabsWin32.Trojan.NSISInject
      C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exe52%VirustotalBrowse

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      1.2.tchnhwrvi.exe.aa0000.1.unpack100%AviraHEUR/AGEN.1215480Download File
      2.2.tchnhwrvi.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      0.2.PhviZrlpkW.exe.28a8998.1.unpack100%AviraHEUR/AGEN.1215480Download File
      2.2.tchnhwrvi.exe.5df0000.31.unpack100%AviraTR/NanoCore.fadteDownload File
      2.2.tchnhwrvi.exe.441b408.27.unpack100%AviraTR/NanoCore.fadteDownload File
      2.2.tchnhwrvi.exe.3330000.5.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

      Domains

      SourceDetectionScannerLabelLink
      thesopranos.duckdns.org1%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      thesopranos.duckdns.org1%VirustotalBrowse
      thesopranos.duckdns.org100%Avira URL Cloudmalware

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      thesopranos.duckdns.org
      		193.31.30.138
      		truetrueunknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      thesopranos.duckdns.orgtrue
      • 1%, Virustotal, Browse
      • Avira URL Cloud: malware
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://nsis.sf.net/NSIS_ErrorErrorPhviZrlpkW.exefalse
        		high
        http://google.comtchnhwrvi.exe, 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.571773496.00000000075D0000.00000004.08000000.00040000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004EA1000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nametchnhwrvi.exe, 00000002.00000002.566066458.0000000003381000.00000004.00000800.00020000.00000000.sdmpfalse
            		high

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            193.31.30.138
            		thesopranos.duckdns.orgUnited Kingdom
            		46261QUICKPACKETUStrue

            General Information

            Joe Sandbox Version:36.0.0 Rainbow Opal
            Analysis ID:798336
            Start date and time:2023-02-03 23:16:11 +01:00
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 8m 47s
            Hypervisor based Inspection enabled:false
            Report type:light
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:15
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample file name:PhviZrlpkW.exe
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@9/17@17/1
            EGA Information:
            • Successful, ratio: 100%
            HDC Information:
            • Successful, ratio: 14.9% (good quality ratio 14.3%)
            • Quality average: 82.8%
            • Quality standard deviation: 26%
            HCA Information:
            • Successful, ratio: 93%
            • Number of executed functions: 0
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WerFault.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
            • TCP Packets have been reduced to 100
            • Excluded IPs from analysis (whitelisted): 20.189.173.21
            • Excluded domains from analysis (whitelisted): blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, watson.telemetry.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report creation exceeded maximum time and may have missing disassembly code information.
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
            • Report size getting too big, too many NtDeviceIoControlFile calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            23:17:10API Interceptor934x Sleep call for process: tchnhwrvi.exe modified
            23:17:10AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run rorscojuxn C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exe "C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Loca
            23:17:20AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run rorscojuxn C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exe "C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Loca
            23:17:34API Interceptor2x Sleep call for process: WerFault.exe modified

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_edpm.exe_98859aec2feace66336d4eb3ad62fedc1a5d529e_aad16012_04aefae6\Report.wer

            Download File
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
            Category:dropped
            Size (bytes):65536
            Entropy (8bit):0.9009185981848317
            Encrypted:false
            SSDEEP:96:samMF1rqNb2RhED7ZRNFpXIQcQ1Uc61dcElcw30vk+HbHg/5FAZugtYsaeOEXCkN:V7cbHQDfYvtjMGIq/u7syS274ItAT
            MD5:4C9B37DD98DEBA952CA651C113023767
            SHA1:7887DE1B1A6A583E01E1CDC5EBBE63BB4334C4FC
            SHA-256:DE3D30114334E4D0E04879F18702842677CC0C44096EBF3216286369E672B302
            SHA-512:B4453A4927711578D3A60ACF796EACFED4D453A7A0F0197E34C047143EB8F3981734D5E016244DC011E365B5C635E31EF87F1F87AE1DC2FCC70B63B1757BA7D2
            Malicious:false
            Reputation:low
            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.1.9.9.3.6.2.4.4.3.3.7.1.5.3.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.1.9.9.3.6.2.4.5.8.3.7.2.1.9.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.b.1.2.0.6.8.1.-.b.b.9.9.-.4.3.d.c.-.8.9.4.a.-.9.5.d.0.e.5.0.e.e.b.5.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.d.7.c.e.0.f.f.-.d.7.2.5.-.4.0.8.d.-.a.4.9.6.-.c.2.2.b.c.4.6.1.e.9.d.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.e.d.p.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.9.a.4.-.0.0.0.1.-.0.0.1.f.-.6.0.8.9.-.a.1.4.7.1.d.3.8.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.a.3.e.9.2.b.c.b.c.a.a.a.3.b.2.b.0.b.c.8.6.1.a.c.d.9.5.9.8.9.8.0.0.0.0.f.f.f.f.!.0.0.0.0.5.6.e.0.2.2.2.b.9.d.0.2.5.c.c.d.b.4.f.f.d.6.b.e.4.4.3.e.c.1.1.d.0.4.2.d.4.9.9.3.!.e.d.p.m...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.3././.0.2././.0.1.:.

            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_edpm.exe_98859aec2feace66336d4eb3ad62fedc1a5d529e_aad16012_0e2afae6\Report.wer

            Download File
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
            Category:dropped
            Size (bytes):65536
            Entropy (8bit):0.8944933806572445
            Encrypted:false
            SSDEEP:96:sFm9FFTuNb3RhED7ZRNFpXIQcQ1Uc61dcElcw30vk+HbHg5+5uHQ0DFF3V9w72/j:BnUCHQDfYvtjscPq/u7syS274ItAT
            MD5:C237F13C24934957828430FA85EE2978
            SHA1:FBC73199D8AAE59017DFD6F688B1C9407204B96E
            SHA-256:6E17F3B7FDA360093B4ED4B1E3E3B151B67619323F387C78A75874D8981FACEF
            SHA-512:195139294E3368FB93BBB011C2B12D0C0A3ED65E274CD825391D0926D604C93DB48AFDECCBE0B292D636E8DEDCBDA8799FEE3050739BDF05EC35FCCEA438D741
            Malicious:false
            Reputation:low
            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.1.9.9.3.6.2.5.0.4.8.7.7.7.2.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.1.9.9.3.6.2.5.1.4.2.5.3.1.8.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.1.5.c.7.2.3.3.-.6.4.e.3.-.4.8.0.2.-.b.d.8.4.-.d.a.8.5.7.1.0.6.b.2.3.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.b.9.9.a.0.4.2.-.7.a.d.6.-.4.7.b.7.-.9.6.0.1.-.f.c.e.d.f.8.5.3.7.2.9.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.e.d.p.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.f.0.-.0.0.0.1.-.0.0.1.f.-.4.7.d.c.-.8.5.4.d.1.d.3.8.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.a.3.e.9.2.b.c.b.c.a.a.a.3.b.2.b.0.b.c.8.6.1.a.c.d.9.5.9.8.9.8.0.0.0.0.f.f.f.f.!.0.0.0.0.5.6.e.0.2.2.2.b.9.d.0.2.5.c.c.d.b.4.f.f.d.6.b.e.4.4.3.e.c.1.1.d.0.4.2.d.4.9.9.3.!.e.d.p.m...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.3././.0.2././.0.1.:.

            C:\ProgramData\Microsoft\Windows\WER\Temp\WERD1E2.tmp.dmp

            Download File
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:Mini DuMP crash report, 14 streams, Fri Feb 3 22:17:24 2023, 0x1205a4 type
            Category:dropped
            Size (bytes):42040
            Entropy (8bit):2.024512213894416
            Encrypted:false
            SSDEEP:192:ofWJo53RwgHzOsQcNq8T+VZesgYgFSwBySXPV:5nsZ7GZesgYgFSw1f
            MD5:808457693416B37EAAACEECA1AEAEC7B
            SHA1:4A9D9E3EC429F09E83B23E7CB8A3AB679D2C1E4E
            SHA-256:D9533C0DBFA1E421D1151013B0A5F6A00AC33B64C59CE31BD7F8DB68858157BF
            SHA-512:499B65D56DBCF65367E0DDA6A43EBFA416897329D16A9E0785225C692746DB92E165429425CFBEE646D8B0421AE1F8E827945C04D12068AFC1F5711E298F1FDF
            Malicious:false
            Reputation:low
            Preview:MDMP....... .........c........................P...............Z+..........T.......8...........T...........(................................................................................................U...........B......p.......GenuineIntelW...........T.............c............................. ..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\ProgramData\Microsoft\Windows\WER\Temp\WERD405.tmp.WERInternalMetadata.xml

            Download File
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
            Category:dropped
            Size (bytes):8322
            Entropy (8bit):3.686852809842928
            Encrypted:false
            SSDEEP:192:Rrl7r3GLNilh6H6YeuSU2KEGgmf6S8+prZ89bo3sf4hYm:RrlsNij6H6YXSU2Agmf6Smo8f4L
            MD5:C47FB1BFB839DF2A251DAC5266C6E9A3
            SHA1:29342D732474A52AA8D7321189C1F8B276B3762C
            SHA-256:68BE108158A425B67822B9C7F5FBAAEA575948EA5F300BCD941BF96BA6D6829B
            SHA-512:AE6BCA833F2FE32E6E013E20E1FE87DAD09D0BA7CB015A9698A0C05267ECD42FD1C7BBB80166E4FD5B97739AE8DCFD00123253E84435A93EF769308DDDFBB4E8
            Malicious:false
            Reputation:low
            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.4.6.8.<./.P.i.d.>.......

            C:\ProgramData\Microsoft\Windows\WER\Temp\WERD445.tmp.xml

            Download File
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):4622
            Entropy (8bit):4.403333093343135
            Encrypted:false
            SSDEEP:48:cvIwSD8zsVJgtWI9D/TWgc8sqYjja8fm8M4JH4FZ+q8vQ3IN1zCzd:uITfva/igrsqYvJUKG41zCzd
            MD5:7677B4D88DD3595FDD3354DAA341E362
            SHA1:03198DAFD342EBF9A54DD17EA90692679AF72353
            SHA-256:3A8B0111006362C92C0B6B7668CC8AC142E5AADE3D8FC021221BCBD7F6BF96E2
            SHA-512:2E31DD349090687C5EAC647D1B6BCCA28292FE426B47113CB73EF8370BDC805958A7B33DCCAF876356EE940EC3068C4B6617E2170EAE3281D3CED301DB70BA56
            Malicious:false
            Reputation:low
            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1896928" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

            C:\ProgramData\Microsoft\Windows\WER\Temp\WERE9EE.tmp.dmp

            Download File
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:Mini DuMP crash report, 14 streams, Fri Feb 3 22:17:30 2023, 0x1205a4 type
            Category:dropped
            Size (bytes):40436
            Entropy (8bit):2.056282829146087
            Encrypted:false
            SSDEEP:192:ilfHniryTxFOoQc6pyqb02JzQXX6e7+V6pAocCA:sqoJNqb0KzsX6y+V6phA
            MD5:1FB3EEB01C764DABAE22F44D5E551ADE
            SHA1:2A2685BA4440D874B09998888DD32B41517DBEDF
            SHA-256:4342A5672DEF74E8D6A44A467C186DE7A2968AA94A37846E26641B95251E9597
            SHA-512:D4194BE3E79E69C0A5CE5C235AD5F1ED9670D565CD07BA119418C09D10B749E81313831DCEA65D5180A19EA6DEC14D3C9B233C22A0DB15E1A968B759C06F8EAA
            Malicious:false
            Reputation:low
            Preview:MDMP....... ..........c.........................................*..........T.......8...........T.......................................l....................................................................U...........B..............GenuineIntelW...........T..............c............................. ..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC12.tmp.WERInternalMetadata.xml

            Download File
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
            Category:dropped
            Size (bytes):8316
            Entropy (8bit):3.690400665517579
            Encrypted:false
            SSDEEP:192:Rrl7r3GLNimMH6x6YelSUtlVzgmf6S8+pr789b0isfucm:RrlsNiF6x6YcSUtTgmf6Ss0hfM
            MD5:1B31096CBE7D3E726A599C9CC6C105DC
            SHA1:DC57E5F1AD6FDCCC9413466C3E2E567289A054AB
            SHA-256:2342825010A897DB92CA99D0E5152A2357D94781A5E600212A7C06B0E0D62726
            SHA-512:8238BBD8DBE58B01AB1581794741357E3F167C1C2AE2F8241FAE26AEE97EF8AFDBCA087C5707079AA01BDD3362D218BCDC3E465D8B573D9A923029FCC5134DF7
            Malicious:false
            Reputation:low
            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.1.0.4.<./.P.i.d.>.......

            C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC42.tmp.xml

            Download File
            Process:C:\Windows\SysWOW64\WerFault.exe
            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):4622
            Entropy (8bit):4.405035055172041
            Encrypted:false
            SSDEEP:48:cvIwSD8zsVJgtWI9D/TWgc8sqYj48fm8M4JH4FSz+q8vQ71zC2d:uITfva/igrsqYxJlKG1zC2d
            MD5:84250B7D1D034DB38E11A3F83DBE5A25
            SHA1:2C9AF8EB330B513D2C42C26980EE994E1F6D46E6
            SHA-256:E0E1A16228EA62FF2E12D7A2D9821C0F50948DC4EC0403DF952C09C4340275A4
            SHA-512:113313843B1AE96B5C6699CBE37A1A5085D0AFFAA359693F2B69B052C2213ECA5C431633A60AE512491F85F17E8EAA61D58F4F19120A7CF321495E0E51D29844
            Malicious:false
            Reputation:low
            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1896928" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

            C:\Users\user\AppData\Local\Temp\lcrizgqjcc.mo

            Download File
            Process:C:\Users\user\Desktop\PhviZrlpkW.exe
            File Type:data
            Category:dropped
            Size (bytes):8155
            Entropy (8bit):7.182663154059607
            Encrypted:false
            SSDEEP:192:darcitQvArWiPvoob95WlOPrifKTndVi/sv6fLtNI7ypzV:uCYrNPvoavPrifKzdo06hNI7q
            MD5:67DF8B0B7F398320F69AA06DD324AABD
            SHA1:EFEA18F4A780A5BE154E40A5A9C8535782D11AF2
            SHA-256:244F2A16593E9A58DC56D66E8324BF0A019628C096CCF16D5355FF06265104CE
            SHA-512:61F103CDECAA9575E6FA5B6DD4922B0E992CF0B01D4004B554AD9127539513ED825B7BE02D12999D748F0E5F34D76666104B6D0A9822C03E5A1F43EA6767D01A
            Malicious:false
            Reputation:low
            Preview:.705m..f.F<...05o.:......?v>.3.3.<......M.knl.02a..c.E<...42c. ......4.D63.6.3.?.....E.gni.53P..805.p8.q?.2.8.u .a..beabo.H0..v..v.@3.`..i/7.p.6.t(2..g.}.u<..G-.0.3.h.f....w8L$.m.r.D;F...okc..m.;4.q.?.<@.4.0...m..u<f...@%.`4..D'd.O$..A5..=..<r..4M.knl.82a..Q..401ec.t4.M4...D;.D..d580..E9....E....3.u.mje.18e..`W..480.x<.p=.4.4.p-P..6.c.!....D%.|.eX.....+..t..0....e.a..`beP..580.p=.t>.8.5.p,XE..Md.....M9..e...@4......F1..u.|c.....Lq.}<...v<+480.}<;.&<.>..r.^.q8F0....q.^.q8F0...^..M...3uc.....}<F...kloe.=8e....aboZf`Z\V.v...`ZYaZCV.v.j^YV.}.lZAU.w.`Z\^.q.iY.T.}.m^.q.[WlT.}....i.W.y.R.}.^.y.W.q.......XW..Mc.....\7!.K.y.a..`.....Z...Jo.......\GB.Gg.u......X.B.Kg.v......Pp..Nd.w.....\...Ke.}.....Y...Ko.p......G8.u....0<..480fP.401Y7a^?X580..D;.g.....A4...Tgn.`...G.X0P0.80..3cg.a.p0..D.`...igen.a..@.b.e.kX.013^3gR7]804p.F8.a.c..q.ad.G<n.`..D2..qb.e...knj..o.00`...)ecXg`Z]^.q.iYXk^OV.}.lZPU.w.`ZE^.q.iY]T.}.mR.R.t.lT.}._\hR.t...R.}.^.y.W.y.R.u......ZR..Jo....\5$.O

            C:\Users\user\AppData\Local\Temp\nse83F1.tmp

            Download File
            Process:C:\Users\user\Desktop\PhviZrlpkW.exe
            File Type:data
            Category:dropped
            Size (bytes):412536
            Entropy (8bit):7.742692963191059
            Encrypted:false
            SSDEEP:12288:BRxkjTLz3xjDWVfJQ9qCU/vfVUgzshA4K9Wx:Ne9DGJQ9qXd4pKS
            MD5:45976AFF5588384336C2E3D34526DAC1
            SHA1:19586AA0CEA35DDEE5E7EFBE097A3E9BCE24C46D
            SHA-256:265CB23E00182EA146217F6E1F14AE29BA83C11D218F67CBEBE4668B165CE23D
            SHA-512:77A8205B700A90E46924FD1FE342D296A1BC9A2D5C8AE928090130CC6EE7F9B00078A8F9D79B753CE792E7F565967DC78222954845626D518F6FBCCBFFE2FD2B
            Malicious:false
            Preview:.6......,........................%.......5.......6..............................................................................T...........................................................................................................................................................G...............K...j...............................................................................................................................O...........p...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe

            Download File
            Process:C:\Users\user\Desktop\PhviZrlpkW.exe
            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):82432
            Entropy (8bit):6.3796829712891165
            Encrypted:false
            SSDEEP:1536:VAYSS9siqxKZXtrcbYoo526WIHgnlcdrzDSQnABsScD9:+YdyxKzxWxsScD
            MD5:64F982758878F6A97ED4B3D99CFBD371
            SHA1:56E0222B9D025CCDB4FFD6BE443EC11D042D4993
            SHA-256:BE58EBBA3239A9AF70FD8E1FFDF426EA89855574FF8B38794262D445B4EB351B
            SHA-512:BA592967E39EE53682CDF87A9BDD943F536321D1014DF1139531B73AF28B71CE596175B698A090E4306F7BB0C86694B822A1B57E13A879DD034F3ADED6E5D117
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 65%
            • Antivirus: Virustotal, Detection: 52%, Browse
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%..}K.}K.}K.....}K.....}K......}K....}K.}J..}K.....}K.....}K.Rich.}K.................PE..L...+U.c............................q5............@.......................................@..................................#..........................................................................................|............................text............................... ..`.rdata...1.......2..................@..@.data....B...@......................@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................

            C:\Users\user\AppData\Local\Temp\tthfqfao.aa

            Download File
            Process:C:\Users\user\Desktop\PhviZrlpkW.exe
            File Type:data
            Category:dropped
            Size (bytes):307935
            Entropy (8bit):7.985923940553015
            Encrypted:false
            SSDEEP:6144:2hXx4RjTF5mqJlX4e3DljJJ3WJPksJQrCQXq1IzQ1/V/HnPfYuUJSrk:2RxkjTLz3xjDWVfJQ9qCU/vfVUp
            MD5:ED01FB080A7C07E4B8ADEC8148D0C434
            SHA1:81474DD1BD248E9D080D55495DB795B4C52CC57D
            SHA-256:AAAFF8393BFBBB2AD8865ECBEC0989162825F52184FB305FB0846D0C2C0D9654
            SHA-512:F5FB047014EB631A0EA91064D0C440A9489F50CC4160DBAC507AEBD5B58D752112F1C69AE15F81A136C51D962FE4E478CDEC52C8A9B7411C110076C09F99EA78
            Malicious:false
            Preview:.....+V..e. .@...N;.:R....9(..6&._...kj.A...eL.a.d........-.........zx#..p.....j..j...>!.%8...)~..'Q.T.A...-....P..c....../b...e@.KKX.=....k....r...T_......".L.g!....q....N3...+.td.,.f >.bs..R,..]4W...G@G...k`.LF...q.7Ih.....>]8..4..x.]...{.......+M..e!.C@....N;.:.....9."[t.._...kcAA...ez.a.dM..........>......j..n.{...0..O.D..(..2[@.t.o ..A..e.R...?...ZM&.c .........M.g.N^.t.5...p..&.+.u.;. .....mLW.2..<..9...a.....).iHE&E.c..Y{"b..\3..5..F"3...#...y.()u.{.......'Y...pA..[.3.x.]...{...Yq..+...e...@....NC.:.....9(..6&.......J.3..ewFa.d......m..>5...].....n...].q%.O.4/.(..b[@nt...OiA..e.?......fZ..I7....l....1OM..5N\./.5w3....&.+.u.;.......mLW.2..<..j...2.a.....).iHE&E.c..Y{"b..\3..M..."3...#...y.(pu.........'Y...pA..[.3.x.]...{.......+...e.p.@....N;.:.....9(..6&._...kj.A...eL.a.d...........>5...].....n.{...0..O.Dv.(..2[@.t.. .iA..e.?......fZM&.c..........M..oN\.t.5w3....&.+.u.;. .....mLW.2..<..j...2.a.....).iHE&E.c..Y{"b..\3..M..."3...#...y.(pu.....

            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat

            Download File
            Process:C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe
            File Type:data
            Category:dropped
            Size (bytes):232
            Entropy (8bit):7.024371743172393
            Encrypted:false
            SSDEEP:6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
            MD5:32D0AAE13696FF7F8AF33B2D22451028
            SHA1:EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
            SHA-256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
            SHA-512:1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
            Malicious:false
            Preview:Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.

            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

            Download File
            Process:C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe
            File Type:data
            Category:dropped
            Size (bytes):8
            Entropy (8bit):3.0
            Encrypted:false
            SSDEEP:3:OjS:Ou
            MD5:FDECF7936CC694269FF8F1961A68ADBB
            SHA1:0BC2E2B015FB7A83E00CD0C8CFE08D25B5A60F6D
            SHA-256:D1629F7944B42A620D3D35FFAA86125EC31C4E57D57EC0408CD71BCCD86E1E5B
            SHA-512:A010C551B8E6885B903A388CC90579A8D5FAD24C900CA813DD044C57CED4B36E8812FD5FE9B57C0420DBBF8574BDEF2D6342FAC1C89C2207D2FC9E8127BF9DEF
            Malicious:true
            Preview:...d4..H

            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin

            Download File
            Process:C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe
            File Type:data
            Category:dropped
            Size (bytes):40
            Entropy (8bit):5.221928094887364
            Encrypted:false
            SSDEEP:3:9bzY6oRDMjmPl:RzWDMCd
            MD5:AE0F5E6CE7122AF264EC533C6B15A27B
            SHA1:1265A495C42EED76CC043D50C60C23297E76CCE1
            SHA-256:73B0B92179C61C26589B47E9732CE418B07EDEE3860EE5A2A5FB06F3B8AA9B26
            SHA-512:DD44C2D24D4E3A0F0B988AD3D04683B5CB128298043134649BBE33B2512CE0C9B1A8E7D893B9F66FBBCDD901E2B0646C4533FB6C0C8C4AFCB95A0EFB95D446F8
            Malicious:false
            Preview:9iH...}Z.4..f..... 8.j....|.&X..e.F.*.

            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat

            Download File
            Process:C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe
            File Type:data
            Category:dropped
            Size (bytes):327432
            Entropy (8bit):7.99938831605763
            Encrypted:true
            SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
            MD5:7E8F4A764B981D5B82D1CC49D341E9C6
            SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
            SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
            SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
            Malicious:false
            Preview:pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7

            C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exe

            Download File
            Process:C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe
            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):82432
            Entropy (8bit):6.3796829712891165
            Encrypted:false
            SSDEEP:1536:VAYSS9siqxKZXtrcbYoo526WIHgnlcdrzDSQnABsScD9:+YdyxKzxWxsScD
            MD5:64F982758878F6A97ED4B3D99CFBD371
            SHA1:56E0222B9D025CCDB4FFD6BE443EC11D042D4993
            SHA-256:BE58EBBA3239A9AF70FD8E1FFDF426EA89855574FF8B38794262D445B4EB351B
            SHA-512:BA592967E39EE53682CDF87A9BDD943F536321D1014DF1139531B73AF28B71CE596175B698A090E4306F7BB0C86694B822A1B57E13A879DD034F3ADED6E5D117
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 65%
            • Antivirus: Virustotal, Detection: 52%, Browse
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%..}K.}K.}K.....}K.....}K......}K....}K.}J..}K.....}K.....}K.Rich.}K.................PE..L...+U.c............................q5............@.......................................@..................................#..........................................................................................|............................text............................... ..`.rdata...1.......2..................@..@.data....B...@......................@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
            Entropy (8bit):6.1512123375745995
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.96%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:PhviZrlpkW.exe
            File size:775369
            MD5:565044691fedb39980cb814dc26f9ebd
            SHA1:d92f48359c385fd03a419e583495ead52428654e
            SHA256:3a1c1eabfbe52d5a822e95462e730775ea9eef9d8d653f3a1ff6904378ad3e0c
            SHA512:ee459c0234c40c4b353f9ea6dbdb8297adac7b63727fb5bcfefbfa2404e0d14882d48656caf8f62897cba00cf7de20da19eb638bc3530e8d13fdb85cfaf58b3c
            SSDEEP:6144:8Ya6SW0O0WqiBiGei7FTjUosytWnSS1SqY7WnoVhcOdN3eJznS/FK0Y4Zh/9VR9A:8Y6WqyTT5WnoLX9dK0XZh1RYCChaWKDW
            TLSH:73F4E0537A00B2E5D8B044397C1AC1F34B99AE3999543E573AD4BF3F38B5123960A73A
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................h...*.....

            File Icon

            Icon Hash:fcd4dcc4f0797979

            Static PE Info

            General

            Entrypoint:0x403640
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Time Stamp:0x614F9B1F [Sat Sep 25 21:56:47 2021 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:61259b55b8912888e90f516ca08dc514

            Entrypoint Preview

            Instruction
            push ebp
            mov ebp, esp
            sub esp, 000003F4h
            push ebx
            push esi
            push edi
            push 00000020h
            pop edi
            xor ebx, ebx
            push 00008001h
            mov dword ptr [ebp-14h], ebx
            mov dword ptr [ebp-04h], 0040A230h
            mov dword ptr [ebp-10h], ebx
            call dword ptr [004080C8h]
            mov esi, dword ptr [004080CCh]
            lea eax, dword ptr [ebp-00000140h]
            push eax
            mov dword ptr [ebp-0000012Ch], ebx
            mov dword ptr [ebp-2Ch], ebx
            mov dword ptr [ebp-28h], ebx
            mov dword ptr [ebp-00000140h], 0000011Ch
            call esi
            test eax, eax
            jne 00007F3638DF5C5Ah
            lea eax, dword ptr [ebp-00000140h]
            mov dword ptr [ebp-00000140h], 00000114h
            push eax
            call esi
            mov ax, word ptr [ebp-0000012Ch]
            mov ecx, dword ptr [ebp-00000112h]
            sub ax, 00000053h
            add ecx, FFFFFFD0h
            neg ax
            sbb eax, eax
            mov byte ptr [ebp-26h], 00000004h
            not eax
            and eax, ecx
            mov word ptr [ebp-2Ch], ax
            cmp dword ptr [ebp-0000013Ch], 0Ah
            jnc 00007F3638DF5C2Ah
            and word ptr [ebp-00000132h], 0000h
            mov eax, dword ptr [ebp-00000134h]
            movzx ecx, byte ptr [ebp-00000138h]
            mov dword ptr [0042A318h], eax
            xor eax, eax
            mov ah, byte ptr [ebp-0000013Ch]
            movzx eax, ax
            or eax, ecx
            xor ecx, ecx
            mov ch, byte ptr [ebp-2Ch]
            movzx ecx, cx
            shl eax, 10h
            or eax, ecx

            Rich Headers

            Programming Language:
            • [EXP] VC++ 6.0 SP5 build 8804

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x3b0000x64f00.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x66760x6800False0.6568134014423077data6.4174599871908855IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rdata0x80000x139a0x1400False0.4498046875data5.141066817170598IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0xa0000x203780x600False0.509765625data4.110582127654237IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .ndata0x2b0000x100000x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .rsrc0x3b0000x64f000x65000False0.2831088528774752data3.743561491677653IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            RT_ICON0x3b3280x42028Device independent bitmap graphic, 256 x 512 x 32, image size 262144EnglishUnited States
            RT_ICON0x7d3500x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536EnglishUnited States
            RT_ICON0x8db780x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 36864EnglishUnited States
            RT_ICON0x970200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384EnglishUnited States
            RT_ICON0x9b2480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216EnglishUnited States
            RT_ICON0x9d7f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096EnglishUnited States
            RT_ICON0x9e8980x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304EnglishUnited States
            RT_ICON0x9f2200x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024EnglishUnited States
            RT_DIALOG0x9f6880x100dataEnglishUnited States
            RT_DIALOG0x9f7880x11cdataEnglishUnited States
            RT_DIALOG0x9f8a80x60dataEnglishUnited States
            RT_GROUP_ICON0x9f9080x76dataEnglishUnited States
            RT_VERSION0x9f9800x23cdataEnglishUnited States
            RT_MANIFEST0x9fbc00x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States

            Imports

            DLLImport
            ADVAPI32.dllRegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
            SHELL32.dllSHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
            ole32.dllOleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
            COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
            USER32.dllGetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
            GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
            KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishUnited States

            Network Behavior

            Snort IDS Alerts

            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
            192.168.2.4193.31.30.1384972613652816766 02/03/23-23:19:06.285273TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497261365192.168.2.4193.31.30.138
            192.168.2.4193.31.30.1384971313652816766 02/03/23-23:17:46.673206TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497131365192.168.2.4193.31.30.138
            192.168.2.4193.31.30.1384971813652816766 02/03/23-23:18:21.376630TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497181365192.168.2.4193.31.30.138
            192.168.2.4193.31.30.1384972113652816766 02/03/23-23:18:33.469715TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497211365192.168.2.4193.31.30.138
            192.168.2.4193.31.30.1384971613652816766 02/03/23-23:18:07.532553TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497161365192.168.2.4193.31.30.138
            192.168.2.4193.31.30.1384971413652816766 02/03/23-23:17:53.669627TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497141365192.168.2.4193.31.30.138
            192.168.2.4193.31.30.1384972313652816766 02/03/23-23:18:47.034655TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497231365192.168.2.4193.31.30.138
            193.31.30.138192.168.2.41365497022810290 02/03/23-23:17:30.731633TCP2810290ETPRO TROJAN NanoCore RAT Keepalive Response 1136549702193.31.30.138192.168.2.4
            192.168.2.4193.31.30.1384972513652816718 02/03/23-23:18:58.945928TCP2816718ETPRO TROJAN NanoCore RAT Keep-Alive Beacon497251365192.168.2.4193.31.30.138
            192.168.2.4193.31.30.1384970213652816766 02/03/23-23:17:32.574212TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497021365192.168.2.4193.31.30.138
            192.168.2.4193.31.30.1384971713652816766 02/03/23-23:18:13.577404TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497171365192.168.2.4193.31.30.138
            192.168.2.4193.31.30.1384971413652816718 02/03/23-23:17:52.672539TCP2816718ETPRO TROJAN NanoCore RAT Keep-Alive Beacon497141365192.168.2.4193.31.30.138
            192.168.2.4193.31.30.1384971213652816766 02/03/23-23:17:40.364031TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497121365192.168.2.4193.31.30.138
            192.168.2.4193.31.30.1384972213652816766 02/03/23-23:18:41.032521TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497221365192.168.2.4193.31.30.138
            192.168.2.4193.31.30.1384972513652816766 02/03/23-23:18:59.896530TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497251365192.168.2.4193.31.30.138
            192.168.2.4193.31.30.1384969313652816766 02/03/23-23:17:25.471865TCP2816766ETPRO TROJAN NanoCore RAT CnC 7496931365192.168.2.4193.31.30.138
            192.168.2.4193.31.30.1384971513652816766 02/03/23-23:18:01.525116TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497151365192.168.2.4193.31.30.138
            192.168.2.4193.31.30.1384969113652816766 02/03/23-23:17:14.041382TCP2816766ETPRO TROJAN NanoCore RAT CnC 7496911365192.168.2.4193.31.30.138
            192.168.2.4193.31.30.1384972013652816766 02/03/23-23:18:27.458779TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497201365192.168.2.4193.31.30.138
            192.168.2.4193.31.30.1384972413652816766 02/03/23-23:18:53.018271TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497241365192.168.2.4193.31.30.138

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Feb 3, 2023 23:17:12.300127029 CET496911365192.168.2.4193.31.30.138
            Feb 3, 2023 23:17:12.330926895 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.331037998 CET496911365192.168.2.4193.31.30.138
            Feb 3, 2023 23:17:12.413235903 CET496911365192.168.2.4193.31.30.138
            Feb 3, 2023 23:17:12.450130939 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.459686995 CET496911365192.168.2.4193.31.30.138
            Feb 3, 2023 23:17:12.490725040 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.533387899 CET496911365192.168.2.4193.31.30.138
            Feb 3, 2023 23:17:12.602159023 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.602196932 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.602216959 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.602238894 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.602257967 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.602314949 CET496911365192.168.2.4193.31.30.138
            Feb 3, 2023 23:17:12.602349997 CET496911365192.168.2.4193.31.30.138
            Feb 3, 2023 23:17:12.633047104 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.633085012 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.633105040 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.633125067 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.633155107 CET496911365192.168.2.4193.31.30.138
            Feb 3, 2023 23:17:12.633167982 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.633177996 CET496911365192.168.2.4193.31.30.138
            Feb 3, 2023 23:17:12.633197069 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.633215904 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.633235931 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.633251905 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.633261919 CET496911365192.168.2.4193.31.30.138
            Feb 3, 2023 23:17:12.633284092 CET496911365192.168.2.4193.31.30.138
            Feb 3, 2023 23:17:12.664132118 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.664169073 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.664189100 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.664208889 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.664230108 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.664251089 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.664272070 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.664295912 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.664321899 CET496911365192.168.2.4193.31.30.138
            Feb 3, 2023 23:17:12.664343119 CET496911365192.168.2.4193.31.30.138
            Feb 3, 2023 23:17:12.664355993 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.664361954 CET496911365192.168.2.4193.31.30.138
            Feb 3, 2023 23:17:12.664381027 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.664398909 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.664417982 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.664436102 CET496911365192.168.2.4193.31.30.138
            Feb 3, 2023 23:17:12.664446115 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.664464951 CET496911365192.168.2.4193.31.30.138
            Feb 3, 2023 23:17:12.664474010 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.664491892 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.664510965 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.664525986 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.664537907 CET496911365192.168.2.4193.31.30.138
            Feb 3, 2023 23:17:12.664560080 CET496911365192.168.2.4193.31.30.138
            Feb 3, 2023 23:17:12.695408106 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.695442915 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.695462942 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.695485115 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.695504904 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.695522070 CET496911365192.168.2.4193.31.30.138
            Feb 3, 2023 23:17:12.695548058 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.695557117 CET496911365192.168.2.4193.31.30.138
            Feb 3, 2023 23:17:12.695575953 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.695589066 CET496911365192.168.2.4193.31.30.138
            Feb 3, 2023 23:17:12.695605040 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.695625067 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.695646048 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.695671082 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.695678949 CET496911365192.168.2.4193.31.30.138
            Feb 3, 2023 23:17:12.695699930 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.695708990 CET496911365192.168.2.4193.31.30.138
            Feb 3, 2023 23:17:12.695729017 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.695739985 CET496911365192.168.2.4193.31.30.138
            Feb 3, 2023 23:17:12.695759058 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.695779085 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.695799112 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.695817947 CET496911365192.168.2.4193.31.30.138
            Feb 3, 2023 23:17:12.695828915 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.695847034 CET496911365192.168.2.4193.31.30.138
            Feb 3, 2023 23:17:12.695858955 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.695879936 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.695900917 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.695918083 CET496911365192.168.2.4193.31.30.138
            Feb 3, 2023 23:17:12.695930958 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.695944071 CET496911365192.168.2.4193.31.30.138
            Feb 3, 2023 23:17:12.695959091 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.695980072 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.696002007 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.696022987 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.696033001 CET496911365192.168.2.4193.31.30.138
            Feb 3, 2023 23:17:12.696053028 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.696062088 CET496911365192.168.2.4193.31.30.138
            Feb 3, 2023 23:17:12.696079969 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.696095943 CET496911365192.168.2.4193.31.30.138
            Feb 3, 2023 23:17:12.696108103 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.696127892 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.696147919 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.696166039 CET496911365192.168.2.4193.31.30.138
            Feb 3, 2023 23:17:12.696176052 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.696194887 CET136549691193.31.30.138192.168.2.4
            Feb 3, 2023 23:17:12.696202993 CET496911365192.168.2.4193.31.30.138
            Feb 3, 2023 23:17:12.726975918 CET136549691193.31.30.138192.168.2.4

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Feb 3, 2023 23:17:12.182507992 CET5741753192.168.2.48.8.8.8
            Feb 3, 2023 23:17:12.291882038 CET53574178.8.8.8192.168.2.4
            Feb 3, 2023 23:17:23.454297066 CET5098253192.168.2.48.8.8.8
            Feb 3, 2023 23:17:23.471971989 CET53509828.8.8.8192.168.2.4
            Feb 3, 2023 23:17:30.550218105 CET6416753192.168.2.48.8.8.8
            Feb 3, 2023 23:17:30.658106089 CET53641678.8.8.8192.168.2.4
            Feb 3, 2023 23:17:37.685573101 CET5680753192.168.2.48.8.8.8
            Feb 3, 2023 23:17:37.703191042 CET53568078.8.8.8192.168.2.4
            Feb 3, 2023 23:17:45.607497931 CET6100753192.168.2.48.8.8.8
            Feb 3, 2023 23:17:45.716548920 CET53610078.8.8.8192.168.2.4
            Feb 3, 2023 23:17:51.722161055 CET6068653192.168.2.48.8.8.8
            Feb 3, 2023 23:17:51.830809116 CET53606868.8.8.8192.168.2.4
            Feb 3, 2023 23:17:59.174943924 CET6112453192.168.2.48.8.8.8
            Feb 3, 2023 23:17:59.283678055 CET53611248.8.8.8192.168.2.4
            Feb 3, 2023 23:18:06.551378012 CET5944453192.168.2.48.8.8.8
            Feb 3, 2023 23:18:06.569550037 CET53594448.8.8.8192.168.2.4
            Feb 3, 2023 23:18:12.558892965 CET5557053192.168.2.48.8.8.8
            Feb 3, 2023 23:18:12.576698065 CET53555708.8.8.8192.168.2.4
            Feb 3, 2023 23:18:18.683300018 CET6490653192.168.2.48.8.8.8
            Feb 3, 2023 23:18:18.792500019 CET53649068.8.8.8192.168.2.4
            Feb 3, 2023 23:18:26.458391905 CET5086153192.168.2.48.8.8.8
            Feb 3, 2023 23:18:26.478123903 CET53508618.8.8.8192.168.2.4
            Feb 3, 2023 23:18:32.484534025 CET6108853192.168.2.48.8.8.8
            Feb 3, 2023 23:18:32.502001047 CET53610888.8.8.8192.168.2.4
            Feb 3, 2023 23:18:39.776468992 CET5872953192.168.2.48.8.8.8
            Feb 3, 2023 23:18:39.884972095 CET53587298.8.8.8192.168.2.4
            Feb 3, 2023 23:18:46.066214085 CET6470053192.168.2.48.8.8.8
            Feb 3, 2023 23:18:46.175755024 CET53647008.8.8.8192.168.2.4
            Feb 3, 2023 23:18:52.083476067 CET5602253192.168.2.48.8.8.8
            Feb 3, 2023 23:18:52.192724943 CET53560228.8.8.8192.168.2.4
            Feb 3, 2023 23:18:58.731571913 CET6082253192.168.2.48.8.8.8
            Feb 3, 2023 23:18:58.748497009 CET53608228.8.8.8192.168.2.4
            Feb 3, 2023 23:19:04.980493069 CET4975053192.168.2.48.8.8.8
            Feb 3, 2023 23:19:05.089649916 CET53497508.8.8.8192.168.2.4

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
            Feb 3, 2023 23:17:12.182507992 CET192.168.2.48.8.8.80x82ccStandard query (0)thesopranos.duckdns.orgA (IP address)IN (0x0001)false
            Feb 3, 2023 23:17:23.454297066 CET192.168.2.48.8.8.80xe8d3Standard query (0)thesopranos.duckdns.orgA (IP address)IN (0x0001)false
            Feb 3, 2023 23:17:30.550218105 CET192.168.2.48.8.8.80x3e21Standard query (0)thesopranos.duckdns.orgA (IP address)IN (0x0001)false
            Feb 3, 2023 23:17:37.685573101 CET192.168.2.48.8.8.80x16d7Standard query (0)thesopranos.duckdns.orgA (IP address)IN (0x0001)false
            Feb 3, 2023 23:17:45.607497931 CET192.168.2.48.8.8.80x2ba3Standard query (0)thesopranos.duckdns.orgA (IP address)IN (0x0001)false
            Feb 3, 2023 23:17:51.722161055 CET192.168.2.48.8.8.80xec96Standard query (0)thesopranos.duckdns.orgA (IP address)IN (0x0001)false
            Feb 3, 2023 23:17:59.174943924 CET192.168.2.48.8.8.80xc842Standard query (0)thesopranos.duckdns.orgA (IP address)IN (0x0001)false
            Feb 3, 2023 23:18:06.551378012 CET192.168.2.48.8.8.80x8297Standard query (0)thesopranos.duckdns.orgA (IP address)IN (0x0001)false
            Feb 3, 2023 23:18:12.558892965 CET192.168.2.48.8.8.80xcf26Standard query (0)thesopranos.duckdns.orgA (IP address)IN (0x0001)false
            Feb 3, 2023 23:18:18.683300018 CET192.168.2.48.8.8.80x61ecStandard query (0)thesopranos.duckdns.orgA (IP address)IN (0x0001)false
            Feb 3, 2023 23:18:26.458391905 CET192.168.2.48.8.8.80x78b2Standard query (0)thesopranos.duckdns.orgA (IP address)IN (0x0001)false
            Feb 3, 2023 23:18:32.484534025 CET192.168.2.48.8.8.80xb12bStandard query (0)thesopranos.duckdns.orgA (IP address)IN (0x0001)false
            Feb 3, 2023 23:18:39.776468992 CET192.168.2.48.8.8.80x4a72Standard query (0)thesopranos.duckdns.orgA (IP address)IN (0x0001)false
            Feb 3, 2023 23:18:46.066214085 CET192.168.2.48.8.8.80xc722Standard query (0)thesopranos.duckdns.orgA (IP address)IN (0x0001)false
            Feb 3, 2023 23:18:52.083476067 CET192.168.2.48.8.8.80xfba4Standard query (0)thesopranos.duckdns.orgA (IP address)IN (0x0001)false
            Feb 3, 2023 23:18:58.731571913 CET192.168.2.48.8.8.80x5fcbStandard query (0)thesopranos.duckdns.orgA (IP address)IN (0x0001)false
            Feb 3, 2023 23:19:04.980493069 CET192.168.2.48.8.8.80xc980Standard query (0)thesopranos.duckdns.orgA (IP address)IN (0x0001)false

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Feb 3, 2023 23:17:12.291882038 CET8.8.8.8192.168.2.40x82ccNo error (0)thesopranos.duckdns.org193.31.30.138A (IP address)IN (0x0001)false
            Feb 3, 2023 23:17:23.471971989 CET8.8.8.8192.168.2.40xe8d3No error (0)thesopranos.duckdns.org193.31.30.138A (IP address)IN (0x0001)false
            Feb 3, 2023 23:17:30.658106089 CET8.8.8.8192.168.2.40x3e21No error (0)thesopranos.duckdns.org193.31.30.138A (IP address)IN (0x0001)false
            Feb 3, 2023 23:17:37.703191042 CET8.8.8.8192.168.2.40x16d7No error (0)thesopranos.duckdns.org193.31.30.138A (IP address)IN (0x0001)false
            Feb 3, 2023 23:17:45.716548920 CET8.8.8.8192.168.2.40x2ba3No error (0)thesopranos.duckdns.org193.31.30.138A (IP address)IN (0x0001)false
            Feb 3, 2023 23:17:51.830809116 CET8.8.8.8192.168.2.40xec96No error (0)thesopranos.duckdns.org193.31.30.138A (IP address)IN (0x0001)false
            Feb 3, 2023 23:17:59.283678055 CET8.8.8.8192.168.2.40xc842No error (0)thesopranos.duckdns.org193.31.30.138A (IP address)IN (0x0001)false
            Feb 3, 2023 23:18:06.569550037 CET8.8.8.8192.168.2.40x8297No error (0)thesopranos.duckdns.org193.31.30.138A (IP address)IN (0x0001)false
            Feb 3, 2023 23:18:12.576698065 CET8.8.8.8192.168.2.40xcf26No error (0)thesopranos.duckdns.org193.31.30.138A (IP address)IN (0x0001)false
            Feb 3, 2023 23:18:18.792500019 CET8.8.8.8192.168.2.40x61ecNo error (0)thesopranos.duckdns.org193.31.30.138A (IP address)IN (0x0001)false
            Feb 3, 2023 23:18:26.478123903 CET8.8.8.8192.168.2.40x78b2No error (0)thesopranos.duckdns.org193.31.30.138A (IP address)IN (0x0001)false
            Feb 3, 2023 23:18:32.502001047 CET8.8.8.8192.168.2.40xb12bNo error (0)thesopranos.duckdns.org193.31.30.138A (IP address)IN (0x0001)false
            Feb 3, 2023 23:18:39.884972095 CET8.8.8.8192.168.2.40x4a72No error (0)thesopranos.duckdns.org193.31.30.138A (IP address)IN (0x0001)false
            Feb 3, 2023 23:18:46.175755024 CET8.8.8.8192.168.2.40xc722No error (0)thesopranos.duckdns.org193.31.30.138A (IP address)IN (0x0001)false
            Feb 3, 2023 23:18:52.192724943 CET8.8.8.8192.168.2.40xfba4No error (0)thesopranos.duckdns.org193.31.30.138A (IP address)IN (0x0001)false
            Feb 3, 2023 23:18:58.748497009 CET8.8.8.8192.168.2.40x5fcbNo error (0)thesopranos.duckdns.org193.31.30.138A (IP address)IN (0x0001)false
            Feb 3, 2023 23:19:05.089649916 CET8.8.8.8192.168.2.40xc980No error (0)thesopranos.duckdns.org193.31.30.138A (IP address)IN (0x0001)false

            Statistics

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:23:17:04
            Start date:03/02/2023
            Path:C:\Users\user\Desktop\PhviZrlpkW.exe
            Wow64 process (32bit):true
            Commandline:C:\Users\user\Desktop\PhviZrlpkW.exe
            Imagebase:0x400000
            File size:775369 bytes
            MD5 hash:565044691FEDB39980CB814DC26F9EBD
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low

            General

            Target ID:1
            Start time:23:17:04
            Start date:03/02/2023
            Path:C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Local\Temp\lcrizgqjcc.mo
            Imagebase:0x280000
            File size:82432 bytes
            MD5 hash:64F982758878F6A97ED4B3D99CFBD371
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.309024218.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.309024218.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.309024218.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000001.00000002.309024218.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
            • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.309024218.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.309024218.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
            Antivirus matches:
            • Detection: 65%, ReversingLabs
            • Detection: 52%, Virustotal, Browse
            Reputation:low

            General

            Target ID:2
            Start time:23:17:06
            Start date:03/02/2023
            Path:C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe
            Wow64 process (32bit):true
            Commandline:C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe
            Imagebase:0x280000
            File size:82432 bytes
            MD5 hash:64F982758878F6A97ED4B3D99CFBD371
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.564994074.0000000001587000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.564994074.0000000001587000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.564994074.0000000001587000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.564994074.0000000001587000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.571891406.0000000007620000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.571891406.0000000007620000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000002.00000002.571891406.0000000007620000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.571891406.0000000007620000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.571954055.0000000007660000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.571954055.0000000007660000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000002.00000002.571954055.0000000007660000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.571954055.0000000007660000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000003.317149940.0000000006A39000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.571812469.00000000075F0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.571812469.00000000075F0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000002.00000002.571812469.00000000075F0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.571812469.00000000075F0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
            • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.570983718.0000000005DF0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.570983718.0000000005DF0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.570983718.0000000005DF0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000002.00000002.570983718.0000000005DF0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.570983718.0000000005DF0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.571761394.00000000075C0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.571761394.00000000075C0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000002.00000002.571761394.00000000075C0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.571761394.00000000075C0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.571720723.0000000007590000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.571720723.0000000007590000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000002.00000002.571720723.0000000007590000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.571720723.0000000007590000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.567185811.00000000043A5000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.571671329.0000000007570000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.571671329.0000000007570000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000002.00000002.571671329.0000000007570000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.571671329.0000000007570000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.567185811.0000000004404000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.567185811.0000000004404000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.571793197.00000000075E0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.571793197.00000000075E0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000002.00000002.571793197.00000000075E0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.571793197.00000000075E0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.571026013.0000000005E10000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.571026013.0000000005E10000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000002.00000002.571026013.0000000005E10000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.571026013.0000000005E10000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.571773496.00000000075D0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.571773496.00000000075D0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000002.00000002.571773496.00000000075D0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.571773496.00000000075D0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
            • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.571597397.00000000073F0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.571597397.00000000073F0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000002.00000002.571597397.00000000073F0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.571597397.00000000073F0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.565935661.0000000003332000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.565935661.0000000003332000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.565935661.0000000003332000.00000040.00001000.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.565935661.0000000003332000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.571745163.00000000075B0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.571745163.00000000075B0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000002.00000002.571745163.00000000075B0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.571745163.00000000075B0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.566066458.0000000003381000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.571864347.0000000007610000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.571864347.0000000007610000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000002.00000002.571864347.0000000007610000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.571864347.0000000007610000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.570873526.0000000005BB0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.570873526.0000000005BB0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000002.00000002.570873526.0000000005BB0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.570873526.0000000005BB0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
            • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.567185811.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.567185811.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.565592440.0000000003290000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.565592440.0000000003290000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.565592440.0000000003290000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
            • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000002.00000002.565592440.0000000003290000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
            • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.565592440.0000000003290000.00000004.08000000.00040000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.565592440.0000000003290000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
            Reputation:low

            General

            Target ID:3
            Start time:23:17:19
            Start date:03/02/2023
            Path:C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exe" "C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Loca
            Imagebase:0x1d0000
            File size:82432 bytes
            MD5 hash:64F982758878F6A97ED4B3D99CFBD371
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Antivirus matches:
            • Detection: 65%, ReversingLabs
            • Detection: 52%, Virustotal, Browse
            Reputation:low

            General

            Target ID:6
            Start time:23:17:23
            Start date:03/02/2023
            Path:C:\Windows\SysWOW64\WerFault.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 656
            Imagebase:0x980000
            File size:434592 bytes
            MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:7
            Start time:23:17:29
            Start date:03/02/2023
            Path:C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exe" "C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Loca
            Imagebase:0x1d0000
            File size:82432 bytes
            MD5 hash:64F982758878F6A97ED4B3D99CFBD371
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:low

            General

            Target ID:9
            Start time:23:17:30
            Start date:03/02/2023
            Path:C:\Windows\SysWOW64\WerFault.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 632
            Imagebase:0x980000
            File size:434592 bytes
            MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high

            Disassembly

            No disassembly