Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
x4VGltSj0j.exe

Overview

General Information

Sample Name:x4VGltSj0j.exe
Original Sample Name:20ef67d923f487ff82fb19be1270571c.exe
Analysis ID:878160
MD5:20ef67d923f487ff82fb19be1270571c
SHA1:6e87a3a9a4dbe64f9626f2230cd2fea63452ee68
SHA256:77dd08fac6833c6ef555e84c2ef5599ed10b7e6dad2da324e4ad643e843709d0
Tags:exeNanoCoreRAT
Infos:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Detected Nanocore Rat
Sigma detected: Scheduled temp file as task from temp location
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Snort IDS alert for network traffic
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • x4VGltSj0j.exe (PID: 5476 cmdline: C:\Users\user\Desktop\x4VGltSj0j.exe MD5: 20EF67D923F487FF82FB19BE1270571C)
    • x4VGltSj0j.exe (PID: 6704 cmdline: C:\Users\user\Desktop\x4VGltSj0j.exe MD5: 20EF67D923F487FF82FB19BE1270571C)
      • schtasks.exe (PID: 6804 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp8CAB.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6908 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8E42.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • x4VGltSj0j.exe (PID: 6940 cmdline: C:\Users\user\Desktop\x4VGltSj0j.exe 0 MD5: 20EF67D923F487FF82FB19BE1270571C)
    • x4VGltSj0j.exe (PID: 6752 cmdline: C:\Users\user\Desktop\x4VGltSj0j.exe MD5: 20EF67D923F487FF82FB19BE1270571C)
  • dhcpmon.exe (PID: 7056 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: 20EF67D923F487FF82FB19BE1270571C)
    • dhcpmon.exe (PID: 6796 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 20EF67D923F487FF82FB19BE1270571C)
  • dhcpmon.exe (PID: 5812 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: 20EF67D923F487FF82FB19BE1270571C)
    • dhcpmon.exe (PID: 4092 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 20EF67D923F487FF82FB19BE1270571C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Nanocore RAT, NanoCoreNanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.
  • APT33
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "540c4d56-ad4d-4ca4-9f9f-305dba1d", "Group": "Default", "Domain1": "jasonbourneblack.ddns.net", "Domain2": "127.0.0.1", "Port": 4032, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.624499056.0000000003EC9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000C.00000002.624499056.0000000003EC9000.00000004.00000800.00020000.00000000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x435b5:$a: NanoCore
    • 0x4360e:$a: NanoCore
    • 0x4364b:$a: NanoCore
    • 0x436c4:$a: NanoCore
    • 0x56d6f:$a: NanoCore
    • 0x56d84:$a: NanoCore
    • 0x56db9:$a: NanoCore
    • 0x6fd5b:$a: NanoCore
    • 0x6fd70:$a: NanoCore
    • 0x6fda5:$a: NanoCore
    • 0x43617:$b: ClientPlugin
    • 0x43654:$b: ClientPlugin
    • 0x43f52:$b: ClientPlugin
    • 0x43f5f:$b: ClientPlugin
    • 0x56b2b:$b: ClientPlugin
    • 0x56b46:$b: ClientPlugin
    • 0x56b76:$b: ClientPlugin
    • 0x56d8d:$b: ClientPlugin
    • 0x56dc2:$b: ClientPlugin
    • 0x6fb17:$b: ClientPlugin
    • 0x6fb32:$b: ClientPlugin
    0000000C.00000002.624499056.0000000003EC9000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
    • 0x4364b:$a1: NanoCore.ClientPluginHost
    • 0x56db9:$a1: NanoCore.ClientPluginHost
    • 0x6fda5:$a1: NanoCore.ClientPluginHost
    • 0x4360e:$a2: NanoCore.ClientPlugin
    • 0x56d84:$a2: NanoCore.ClientPlugin
    • 0x6fd70:$a2: NanoCore.ClientPlugin
    • 0x439e2:$b1: get_BuilderSettings
    • 0x5bcff:$b1: get_BuilderSettings
    • 0x74ceb:$b1: get_BuilderSettings
    • 0x43699:$b4: IClientAppHost
    • 0x43a53:$b6: AddHostEntry
    • 0x43ac2:$b7: LogClientException
    • 0x5bc6e:$b7: LogClientException
    • 0x74c5a:$b7: LogClientException
    • 0x43a37:$b8: PipeExists
    • 0x43686:$b9: IClientLoggingHost
    • 0x56dd3:$b9: IClientLoggingHost
    • 0x6fdbf:$b9: IClientLoggingHost
    00000003.00000002.831317891.0000000007010000.00000004.08000000.00040000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
    • 0x350b:$x1: NanoCore.ClientPluginHost
    • 0x3525:$x2: IClientNetworkHost
    00000003.00000002.831317891.0000000007010000.00000004.08000000.00040000.00000000.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth (Nextron Systems)
    • 0x350b:$x2: NanoCore.ClientPluginHost
    • 0x52b6:$s4: PipeCreated
    • 0x34f8:$s5: IClientLoggingHost
    Click to see the 90 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    3.2.x4VGltSj0j.exe.6d10000.19.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
    • 0x16e3:$x1: NanoCore.ClientPluginHost
    • 0x171c:$x2: IClientNetworkHost
    3.2.x4VGltSj0j.exe.6d10000.19.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth (Nextron Systems)
    • 0x16e3:$x2: NanoCore.ClientPluginHost
    • 0x1800:$s4: PipeCreated
    • 0x16fd:$s5: IClientLoggingHost
    3.2.x4VGltSj0j.exe.6d10000.19.raw.unpackMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
    • 0x175f:$x2: NanoCore.ClientPlugin
    • 0x16e3:$x3: NanoCore.ClientPluginHost
    • 0x1775:$i3: IClientNetwork
    • 0x16fd:$i6: IClientLoggingHost
    • 0x171c:$i7: IClientNetworkHost
    • 0x1491:$s1: ClientPlugin
    • 0x1768:$s1: ClientPlugin
    3.2.x4VGltSj0j.exe.6d10000.19.raw.unpackWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
    • 0x16e3:$a1: NanoCore.ClientPluginHost
    • 0x175f:$a2: NanoCore.ClientPlugin
    • 0x16fd:$b9: IClientLoggingHost
    3.2.x4VGltSj0j.exe.71a0000.30.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
    • 0x5fee:$x1: NanoCore.ClientPluginHost
    • 0x602b:$x2: IClientNetworkHost
    Click to see the 251 entries

    Sigma Signatures

    AV Detection

    barindex
    Sigma detected: NanoCore
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\x4VGltSj0j.exe, ProcessId: 6704, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    E-Banking Fraud

    barindex
    Sigma detected: NanoCore
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\x4VGltSj0j.exe, ProcessId: 6704, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Persistence and Installation Behavior

    barindex
    Sigma detected: Scheduled temp file as task from temp location
    Source: Process startedAuthor: Joe Security: Data: Command: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp8CAB.tmp, CommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp8CAB.tmp, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\x4VGltSj0j.exe, ParentImage: C:\Users\user\Desktop\x4VGltSj0j.exe, ParentProcessId: 6704, ParentProcessName: x4VGltSj0j.exe, ProcessCommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp8CAB.tmp, ProcessId: 6804, ProcessName: schtasks.exe

    Stealing of Sensitive Information

    barindex
    Sigma detected: NanoCore
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\x4VGltSj0j.exe, ProcessId: 6704, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Remote Access Functionality

    barindex
    Sigma detected: NanoCore
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\x4VGltSj0j.exe, ProcessId: 6704, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Snort Signatures

    Timestamp:192.168.2.4141.98.6.1674969440322025019 05/30/23-13:08:06.488254
    SID:2025019
    Source Port:49694
    Destination Port:4032
    Protocol:TCP
    Classtype:A Network Trojan was detected
    Timestamp:192.168.2.4141.98.6.1674969440322816766 05/30/23-13:08:09.282700
    SID:2816766
    Source Port:49694
    Destination Port:4032
    Protocol:TCP
    Classtype:A Network Trojan was detected

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Found malware configuration
    Source: 0000000C.00000002.624499056.0000000003EC9000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "540c4d56-ad4d-4ca4-9f9f-305dba1d", "Group": "Default", "Domain1": "jasonbourneblack.ddns.net", "Domain2": "127.0.0.1", "Port": 4032, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
    Multi AV Scanner detection for submitted file
    Source: x4VGltSj0j.exeReversingLabs: Detection: 21%
    Source: x4VGltSj0j.exeVirustotal: Detection: 28%Perma Link
    Antivirus detection for URL or domain
    Source: jasonbourneblack.ddns.netAvira URL Cloud: Label: malware
    Multi AV Scanner detection for domain / URL
    Source: jasonbourneblack.ddns.netVirustotal: Detection: 10%Perma Link
    Multi AV Scanner detection for dropped file
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 21%
    Yara detected Nanocore RAT
    Source: Yara matchFile source: 3.2.x4VGltSj0j.exe.53b0000.16.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.x4VGltSj0j.exe.4044ce8.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.x4VGltSj0j.exe.3f1060c.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 3.2.x4VGltSj0j.exe.53b0000.16.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.x4VGltSj0j.exe.40120c8.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.x4VGltSj0j.exe.3f0b7d6.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.x4VGltSj0j.exe.40120c8.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.x4VGltSj0j.exe.3f1060c.3.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 3.2.x4VGltSj0j.exe.53b4629.17.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.x4VGltSj0j.exe.3f14c35.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.x4VGltSj0j.exe.4044ce8.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.x4VGltSj0j.exe.3fdb2a8.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0000000C.00000002.624499056.0000000003EC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000003.00000002.828765767.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000002.624520249.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.557049531.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.623571308.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: x4VGltSj0j.exe PID: 5476, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: x4VGltSj0j.exe PID: 6704, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6796, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: x4VGltSj0j.exe PID: 6752, type: MEMORYSTR
    Machine Learning detection for sample
    Source: x4VGltSj0j.exeJoe Sandbox ML: detected
    Machine Learning detection for dropped file
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
    Source: x4VGltSj0j.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: x4VGltSj0j.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: Binary string: mscorlib.pdb source: x4VGltSj0j.exe, 00000003.00000002.803744926.0000000000C15000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oXQF.pdbSHA256; source: x4VGltSj0j.exe, dhcpmon.exe.3.dr
    Source: Binary string: oXQF.pdb source: x4VGltSj0j.exe, dhcpmon.exe.3.dr
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.830668276.0000000006D20000.00000004.08000000.00040000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.830963425.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.830818875.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.830628451.0000000006D10000.00000004.08000000.00040000.00000000.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.830884662.0000000006D50000.00000004.08000000.00040000.00000000.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.830754670.0000000006D30000.00000004.08000000.00040000.00000000.sdmp
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 4x nop then jmp 09B37ECDh
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]

    Networking

    barindex
    Snort IDS alert for network traffic
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49694 -> 141.98.6.167:4032
    Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49694 -> 141.98.6.167:4032
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: jasonbourneblack.ddns.net
    Source: Malware configuration extractorURLs: 127.0.0.1
    Uses dynamic DNS services
    Source: unknownDNS query: name: jasonbourneblack.ddns.net
    Source: Joe Sandbox ViewASN Name: CMCSUS CMCSUS
    Source: global trafficTCP traffic: 192.168.2.4:49694 -> 141.98.6.167:4032
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.830884662.0000000006D50000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://google.com
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: x4VGltSj0j.exe, 00000000.00000003.541363758.0000000005956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
    Source: x4VGltSj0j.exe, 00000000.00000003.542376102.0000000005942000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comenc
    Source: x4VGltSj0j.exe, 00000000.00000003.541363758.0000000005956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comitk
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
    Source: x4VGltSj0j.exe, 00000000.00000003.542376102.0000000005942000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comscrf:
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
    Source: x4VGltSj0j.exe, 00000000.00000003.542552861.0000000005956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com.TTF
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
    Source: x4VGltSj0j.exe, 00000000.00000003.542552861.0000000005942000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
    Source: x4VGltSj0j.exe, 00000000.00000003.542949913.0000000005957000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF
    Source: x4VGltSj0j.exe, 00000000.00000003.552697773.0000000005940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
    Source: x4VGltSj0j.exe, 00000000.00000003.542949913.0000000005957000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comals
    Source: x4VGltSj0j.exe, 00000000.00000003.542949913.0000000005957000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcom
    Source: x4VGltSj0j.exe, 00000000.00000003.542552861.0000000005956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcomF
    Source: x4VGltSj0j.exe, 00000000.00000003.542949913.0000000005957000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcomau
    Source: x4VGltSj0j.exe, 00000000.00000003.542949913.0000000005957000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comf?
    Source: x4VGltSj0j.exe, 00000000.00000003.552697773.0000000005940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comion
    Source: x4VGltSj0j.exe, 00000000.00000003.542552861.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.542949913.0000000005957000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.542610815.0000000005956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comk
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
    Source: x4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541749083.000000000594B000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541863069.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.542376102.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
    Source: x4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/&
    Source: x4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541749083.000000000594B000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541863069.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
    Source: x4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541863069.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/4
    Source: x4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.542376102.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/?
    Source: x4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541863069.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.542376102.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/C
    Source: x4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Q
    Source: x4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.542376102.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/X
    Source: x4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
    Source: x4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0g
    Source: x4VGltSj0j.exe, 00000000.00000003.541863069.0000000005956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/f?
    Source: x4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/g
    Source: x4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541863069.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
    Source: x4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Q
    Source: x4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/f?
    Source: x4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/o
    Source: x4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541863069.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/u
    Source: x4VGltSj0j.exe, 00000000.00000003.539411991.000000000595B000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.539394916.000000000595B000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541072737.0000000005952000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541363758.0000000005956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
    Source: x4VGltSj0j.exe, 00000000.00000003.541363758.0000000005956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comlic
    Source: x4VGltSj0j.exe, 00000000.00000003.541363758.0000000005956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comlic6
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
    Source: x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
    Source: x4VGltSj0j.exe, 00000000.00000003.542949913.0000000005957000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deI
    Source: x4VGltSj0j.exe, 00000000.00000003.542949913.0000000005957000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deN
    Source: x4VGltSj0j.exe, 00000000.00000003.541234411.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541204121.0000000005949000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
    Source: x4VGltSj0j.exe, 00000000.00000003.541234411.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541204121.0000000005949000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.S
    Source: unknownDNS traffic detected: queries for: jasonbourneblack.ddns.net
    Source: x4VGltSj0j.exe, 00000000.00000002.552960704.0000000000BA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
    Source: x4VGltSj0j.exe, 00000003.00000002.828765767.00000000053B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: RegisterRawInputDevices

    E-Banking Fraud

    barindex
    Yara detected Nanocore RAT
    Source: Yara matchFile source: 3.2.x4VGltSj0j.exe.53b0000.16.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.x4VGltSj0j.exe.4044ce8.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.x4VGltSj0j.exe.3f1060c.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 3.2.x4VGltSj0j.exe.53b0000.16.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.x4VGltSj0j.exe.40120c8.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.x4VGltSj0j.exe.3f0b7d6.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.x4VGltSj0j.exe.40120c8.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.x4VGltSj0j.exe.3f1060c.3.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 3.2.x4VGltSj0j.exe.53b4629.17.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.x4VGltSj0j.exe.3f14c35.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.x4VGltSj0j.exe.4044ce8.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.x4VGltSj0j.exe.3fdb2a8.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0000000C.00000002.624499056.0000000003EC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000003.00000002.828765767.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000002.624520249.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.557049531.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.623571308.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: x4VGltSj0j.exe PID: 5476, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: x4VGltSj0j.exe PID: 6704, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6796, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: x4VGltSj0j.exe PID: 6752, type: MEMORYSTR

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: 3.2.x4VGltSj0j.exe.6d10000.19.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.6d10000.19.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.6d10000.19.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.71a0000.30.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.71a0000.30.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.71a0000.30.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.6d20000.20.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.6d20000.20.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.6d20000.20.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.5370000.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.5370000.14.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.5370000.14.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.5380000.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.5380000.15.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.5380000.15.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.7010000.26.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.7010000.26.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.7010000.26.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.53b0000.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.53b0000.16.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.53b0000.16.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 0.2.x4VGltSj0j.exe.4044ce8.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 0.2.x4VGltSj0j.exe.4044ce8.4.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0.2.x4VGltSj0j.exe.4044ce8.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0.2.x4VGltSj0j.exe.4044ce8.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.6d60000.24.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.6d60000.24.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.6d60000.24.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.3c5ee4e.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.3c5ee4e.8.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.3c5ee4e.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.6ff0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.6ff0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.6ff0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.6d30000.21.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.6d30000.21.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.6d30000.21.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.7170000.27.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.7170000.27.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.7170000.27.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.50b0000.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.50b0000.13.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.50b0000.13.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.6d50000.23.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.6d50000.23.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.6d50000.23.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.5380000.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.5380000.15.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.5380000.15.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.3c50a1e.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.3c50a1e.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.3c50a1e.11.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 12.2.x4VGltSj0j.exe.2f29530.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 12.2.x4VGltSj0j.exe.2f29530.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.x4VGltSj0j.exe.2f29530.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 12.2.x4VGltSj0j.exe.3f1060c.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 12.2.x4VGltSj0j.exe.3f1060c.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.x4VGltSj0j.exe.3f1060c.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.3c47bef.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.3c47bef.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.3c47bef.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 3.2.x4VGltSj0j.exe.3c47bef.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.3c50a1e.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.3c50a1e.11.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.3c50a1e.11.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.53b0000.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.53b0000.16.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.53b0000.16.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 0.2.x4VGltSj0j.exe.40120c8.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 0.2.x4VGltSj0j.exe.40120c8.8.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0.2.x4VGltSj0j.exe.40120c8.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0.2.x4VGltSj0j.exe.40120c8.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.39081d4.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.39081d4.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.39081d4.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 12.2.x4VGltSj0j.exe.3f0b7d6.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 12.2.x4VGltSj0j.exe.3f0b7d6.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.x4VGltSj0j.exe.3f0b7d6.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 12.2.x4VGltSj0j.exe.3f0b7d6.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.7174c9f.28.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.7174c9f.28.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.7174c9f.28.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.3a7cff1.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.3a7cff1.4.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.3a7cff1.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.6d20000.20.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.6d20000.20.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.6d20000.20.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.6d30000.21.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.6d30000.21.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.6d30000.21.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 0.2.x4VGltSj0j.exe.40120c8.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 0.2.x4VGltSj0j.exe.40120c8.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0.2.x4VGltSj0j.exe.40120c8.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0.2.x4VGltSj0j.exe.40120c8.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 11.2.dhcpmon.exe.32d9658.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 11.2.dhcpmon.exe.32d9658.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 11.2.dhcpmon.exe.32d9658.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.6d60000.24.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.6d60000.24.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.6d60000.24.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.38f9930.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.38f9930.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.38f9930.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.6d50000.23.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.6d50000.23.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.6d50000.23.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.3c5ee4e.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.3c5ee4e.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.3c5ee4e.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.71a0000.30.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.71a0000.30.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.71a0000.30.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 12.2.x4VGltSj0j.exe.3f1060c.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 12.2.x4VGltSj0j.exe.3f1060c.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.x4VGltSj0j.exe.3f1060c.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.717e8a4.29.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.717e8a4.29.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.717e8a4.29.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.3c47bef.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.3c47bef.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.3c47bef.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.2975498.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.2975498.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.2975498.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.3a89225.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.3a89225.12.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.3a89225.12.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.7010000.26.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.7010000.26.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.7010000.26.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.3a9d852.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.3a9d852.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.3a9d852.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 3.2.x4VGltSj0j.exe.3a9d852.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.6ff0000.25.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.6ff0000.25.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.6ff0000.25.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.38f9930.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.38f9930.10.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.38f9930.10.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.298e3f0.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.298e3f0.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.298e3f0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.7170000.27.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.7170000.27.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.7170000.27.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.5370000.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.5370000.14.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.5370000.14.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.53b4629.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.53b4629.17.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.53b4629.17.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.6d40000.22.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.6d40000.22.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.6d40000.22.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.3a7cff1.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.3a7cff1.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.3a7cff1.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 3.2.x4VGltSj0j.exe.3a7cff1.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.38fe5cf.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.38fe5cf.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.38fe5cf.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 12.2.x4VGltSj0j.exe.3f14c35.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 12.2.x4VGltSj0j.exe.3f14c35.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 12.2.x4VGltSj0j.exe.3f14c35.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.298e3f0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.298e3f0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.298e3f0.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 3.2.x4VGltSj0j.exe.298e3f0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 0.2.x4VGltSj0j.exe.4044ce8.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 0.2.x4VGltSj0j.exe.4044ce8.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0.2.x4VGltSj0j.exe.4044ce8.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0.2.x4VGltSj0j.exe.4044ce8.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.2942e5c.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.2942e5c.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 3.2.x4VGltSj0j.exe.2942e5c.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.2975498.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.2975498.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.2975498.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 3.2.x4VGltSj0j.exe.2975498.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 3.2.x4VGltSj0j.exe.3a89225.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 3.2.x4VGltSj0j.exe.3a89225.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 3.2.x4VGltSj0j.exe.3a89225.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 3.2.x4VGltSj0j.exe.3a89225.12.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 0.2.x4VGltSj0j.exe.3fdb2a8.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 0.2.x4VGltSj0j.exe.3fdb2a8.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
    Source: 0.2.x4VGltSj0j.exe.3fdb2a8.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0.2.x4VGltSj0j.exe.3fdb2a8.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 0000000C.00000002.624499056.0000000003EC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000C.00000002.624499056.0000000003EC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000003.00000002.831317891.0000000007010000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 00000003.00000002.831317891.0000000007010000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000003.00000002.831317891.0000000007010000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000003.00000002.830963425.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 00000003.00000002.830963425.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000003.00000002.830963425.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000003.00000002.821764606.00000000038F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000003.00000002.828540594.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 00000003.00000002.828540594.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000003.00000002.828540594.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000003.00000003.572812783.000000000619B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000003.00000002.831505187.0000000007170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 00000003.00000002.831505187.0000000007170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000003.00000002.831505187.0000000007170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000003.00000002.828765767.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 00000003.00000002.828765767.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000003.00000002.828765767.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000003.00000002.830668276.0000000006D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 00000003.00000002.830668276.0000000006D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000003.00000002.830668276.0000000006D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000003.00000002.830818875.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 00000003.00000002.830818875.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000003.00000002.830818875.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 0000000B.00000002.624520249.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000B.00000002.624520249.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000003.00000002.830884662.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 00000003.00000002.830884662.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000003.00000002.830884662.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000000.00000002.557049531.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 00000000.00000002.557049531.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000000.00000002.557049531.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 0000000C.00000002.623571308.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000C.00000002.623571308.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 0000000B.00000002.617492931.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 0000000B.00000002.617492931.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000B.00000002.617492931.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000003.00000002.830628451.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 00000003.00000002.830628451.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000003.00000002.830628451.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000003.00000002.828461289.0000000005370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 00000003.00000002.828461289.0000000005370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000003.00000002.828461289.0000000005370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000003.00000002.830754670.0000000006D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 00000003.00000002.830754670.0000000006D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000003.00000002.830754670.0000000006D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000003.00000002.828091311.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 00000003.00000002.828091311.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000003.00000002.828091311.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000003.00000002.831120142.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 00000003.00000002.831120142.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000003.00000002.831120142.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: 00000003.00000002.831774560.00000000071A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: 00000003.00000002.831774560.00000000071A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
    Source: 00000003.00000002.831774560.00000000071A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: Process Memory Space: x4VGltSj0j.exe PID: 5476, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: Process Memory Space: x4VGltSj0j.exe PID: 5476, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: x4VGltSj0j.exe PID: 5476, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: Process Memory Space: x4VGltSj0j.exe PID: 6704, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: x4VGltSj0j.exe PID: 6704, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: Process Memory Space: dhcpmon.exe PID: 6796, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
    Source: Process Memory Space: dhcpmon.exe PID: 6796, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: dhcpmon.exe PID: 6796, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: Process Memory Space: x4VGltSj0j.exe PID: 6752, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: x4VGltSj0j.exe PID: 6752, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
    Source: x4VGltSj0j.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: 3.2.x4VGltSj0j.exe.6d10000.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6d10000.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6d10000.19.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.6d10000.19.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.71a0000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.71a0000.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.71a0000.30.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.71a0000.30.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.6d20000.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6d20000.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6d20000.20.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.6d20000.20.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.5370000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.5370000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.5370000.14.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.5370000.14.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.5380000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.5380000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.5380000.15.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.5380000.15.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.7010000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.7010000.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.7010000.26.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.7010000.26.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.53b0000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.53b0000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.53b0000.16.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.53b0000.16.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 0.2.x4VGltSj0j.exe.4044ce8.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0.2.x4VGltSj0j.exe.4044ce8.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0.2.x4VGltSj0j.exe.4044ce8.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0.2.x4VGltSj0j.exe.4044ce8.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0.2.x4VGltSj0j.exe.4044ce8.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.6d60000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6d60000.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6d60000.24.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.6d60000.24.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.3c5ee4e.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.3c5ee4e.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.3c5ee4e.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.3c5ee4e.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.6ff0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6ff0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6ff0000.25.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.6ff0000.25.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.6d30000.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6d30000.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6d30000.21.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.6d30000.21.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.7170000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.7170000.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.7170000.27.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.7170000.27.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.50b0000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.50b0000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.50b0000.13.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.50b0000.13.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.6d50000.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6d50000.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6d50000.23.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.6d50000.23.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.5380000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.5380000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.5380000.15.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.5380000.15.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.3c50a1e.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.3c50a1e.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.3c50a1e.11.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.3c50a1e.11.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 12.2.x4VGltSj0j.exe.2f29530.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.x4VGltSj0j.exe.2f29530.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.x4VGltSj0j.exe.2f29530.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.x4VGltSj0j.exe.2f29530.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 12.2.x4VGltSj0j.exe.3f1060c.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.x4VGltSj0j.exe.3f1060c.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.x4VGltSj0j.exe.3f1060c.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.x4VGltSj0j.exe.3f1060c.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.3c47bef.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.3c47bef.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.3c47bef.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.3c47bef.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 3.2.x4VGltSj0j.exe.3c47bef.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.3c50a1e.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.3c50a1e.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.3c50a1e.11.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.3c50a1e.11.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.53b0000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.53b0000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.53b0000.16.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.53b0000.16.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 0.2.x4VGltSj0j.exe.40120c8.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0.2.x4VGltSj0j.exe.40120c8.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0.2.x4VGltSj0j.exe.40120c8.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0.2.x4VGltSj0j.exe.40120c8.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0.2.x4VGltSj0j.exe.40120c8.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.39081d4.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.39081d4.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.39081d4.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.39081d4.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 12.2.x4VGltSj0j.exe.3f0b7d6.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.x4VGltSj0j.exe.3f0b7d6.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.x4VGltSj0j.exe.3f0b7d6.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.x4VGltSj0j.exe.3f0b7d6.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 12.2.x4VGltSj0j.exe.3f0b7d6.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.7174c9f.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.7174c9f.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.7174c9f.28.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.7174c9f.28.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.3a7cff1.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.3a7cff1.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.3a7cff1.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.3a7cff1.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.6d20000.20.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6d20000.20.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6d20000.20.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.6d20000.20.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.6d30000.21.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6d30000.21.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6d30000.21.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.6d30000.21.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 0.2.x4VGltSj0j.exe.40120c8.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0.2.x4VGltSj0j.exe.40120c8.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0.2.x4VGltSj0j.exe.40120c8.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0.2.x4VGltSj0j.exe.40120c8.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 11.2.dhcpmon.exe.32d9658.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 11.2.dhcpmon.exe.32d9658.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 11.2.dhcpmon.exe.32d9658.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 11.2.dhcpmon.exe.32d9658.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.6d60000.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6d60000.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6d60000.24.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.6d60000.24.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.38f9930.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.38f9930.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.38f9930.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.38f9930.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.6d50000.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6d50000.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6d50000.23.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.6d50000.23.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.3c5ee4e.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.3c5ee4e.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.3c5ee4e.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.3c5ee4e.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.71a0000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.71a0000.30.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.71a0000.30.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.71a0000.30.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 12.2.x4VGltSj0j.exe.3f1060c.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.x4VGltSj0j.exe.3f1060c.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.x4VGltSj0j.exe.3f1060c.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.x4VGltSj0j.exe.3f1060c.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.717e8a4.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.717e8a4.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.717e8a4.29.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.717e8a4.29.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.3c47bef.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.3c47bef.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.3c47bef.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.3c47bef.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.2975498.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.2975498.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.2975498.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.2975498.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.3a89225.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.3a89225.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.3a89225.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.3a89225.12.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.7010000.26.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.7010000.26.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.7010000.26.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.7010000.26.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.3a9d852.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.3a9d852.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.3a9d852.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 3.2.x4VGltSj0j.exe.3a9d852.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.6ff0000.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6ff0000.25.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6ff0000.25.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.6ff0000.25.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.38f9930.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.38f9930.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.38f9930.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.38f9930.10.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.298e3f0.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.298e3f0.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.298e3f0.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.298e3f0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.7170000.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.7170000.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.7170000.27.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.7170000.27.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.5370000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.5370000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.5370000.14.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.5370000.14.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 11.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.53b4629.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.53b4629.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.53b4629.17.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.53b4629.17.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.6d40000.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6d40000.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.6d40000.22.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.6d40000.22.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.3a7cff1.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.3a7cff1.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.3a7cff1.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 3.2.x4VGltSj0j.exe.3a7cff1.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.38fe5cf.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.38fe5cf.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.38fe5cf.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.38fe5cf.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 12.2.x4VGltSj0j.exe.3f14c35.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.x4VGltSj0j.exe.3f14c35.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 12.2.x4VGltSj0j.exe.3f14c35.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 12.2.x4VGltSj0j.exe.3f14c35.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.298e3f0.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.298e3f0.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.298e3f0.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 3.2.x4VGltSj0j.exe.298e3f0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 0.2.x4VGltSj0j.exe.4044ce8.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0.2.x4VGltSj0j.exe.4044ce8.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0.2.x4VGltSj0j.exe.4044ce8.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0.2.x4VGltSj0j.exe.4044ce8.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.2942e5c.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.2942e5c.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 3.2.x4VGltSj0j.exe.2942e5c.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.2975498.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.2975498.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.2975498.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 3.2.x4VGltSj0j.exe.2975498.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 3.2.x4VGltSj0j.exe.3a89225.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 3.2.x4VGltSj0j.exe.3a89225.12.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 3.2.x4VGltSj0j.exe.3a89225.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 3.2.x4VGltSj0j.exe.3a89225.12.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 0.2.x4VGltSj0j.exe.3fdb2a8.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0.2.x4VGltSj0j.exe.3fdb2a8.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 0.2.x4VGltSj0j.exe.3fdb2a8.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0.2.x4VGltSj0j.exe.3fdb2a8.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 0000000C.00000002.624499056.0000000003EC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000C.00000002.624499056.0000000003EC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000003.00000002.831317891.0000000007010000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.831317891.0000000007010000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.831317891.0000000007010000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000003.00000002.831317891.0000000007010000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000003.00000002.830963425.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.830963425.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.830963425.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000003.00000002.830963425.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000003.00000002.821764606.00000000038F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000003.00000002.828540594.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.828540594.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.828540594.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000003.00000002.828540594.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000003.00000003.572812783.000000000619B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000003.00000002.831505187.0000000007170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.831505187.0000000007170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.831505187.0000000007170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000003.00000002.831505187.0000000007170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000003.00000002.828765767.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.828765767.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.828765767.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000003.00000002.828765767.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000003.00000002.830668276.0000000006D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.830668276.0000000006D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.830668276.0000000006D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000003.00000002.830668276.0000000006D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000003.00000002.830818875.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.830818875.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.830818875.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000003.00000002.830818875.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 0000000B.00000002.624520249.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000B.00000002.624520249.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000003.00000002.830884662.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.830884662.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.830884662.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000003.00000002.830884662.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000000.00000002.557049531.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000000.00000002.557049531.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000000.00000002.557049531.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 0000000C.00000002.623571308.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000C.00000002.623571308.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 0000000B.00000002.617492931.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0000000B.00000002.617492931.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000B.00000002.617492931.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000003.00000002.830628451.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.830628451.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.830628451.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000003.00000002.830628451.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000003.00000002.828461289.0000000005370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.828461289.0000000005370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.828461289.0000000005370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000003.00000002.828461289.0000000005370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000003.00000002.830754670.0000000006D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.830754670.0000000006D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.830754670.0000000006D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000003.00000002.830754670.0000000006D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000003.00000002.828091311.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.828091311.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.828091311.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000003.00000002.828091311.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000003.00000002.831120142.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.831120142.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.831120142.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000003.00000002.831120142.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: 00000003.00000002.831774560.00000000071A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.831774560.00000000071A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000003.00000002.831774560.00000000071A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
    Source: 00000003.00000002.831774560.00000000071A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: Process Memory Space: x4VGltSj0j.exe PID: 5476, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: Process Memory Space: x4VGltSj0j.exe PID: 5476, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: x4VGltSj0j.exe PID: 5476, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: Process Memory Space: x4VGltSj0j.exe PID: 6704, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: x4VGltSj0j.exe PID: 6704, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: Process Memory Space: dhcpmon.exe PID: 6796, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: Process Memory Space: dhcpmon.exe PID: 6796, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: dhcpmon.exe PID: 6796, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: Process Memory Space: x4VGltSj0j.exe PID: 6752, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: x4VGltSj0j.exe PID: 6752, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 0_2_00E5C1A4
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 0_2_00E5E5E0
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 0_2_00E5E5F0
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 0_2_06FD40C8
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 0_2_06FD4C48
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 0_2_06FD6DB1
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 0_2_06FD0858
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 0_2_06FD9308
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 0_2_06FDB150
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 0_2_06FDC102
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 0_2_06FDBC80
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 0_2_06FD4870
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 0_2_06FD4861
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 0_2_06FD0848
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 0_2_06FD99B1
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 0_2_09B372F0
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 0_2_09B30006
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 0_2_09B30040
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_028CE480
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_028CE471
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_028CBBD4
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_065496B0
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_06548A98
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654976E
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_06549F90
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_029BC1A4
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_029BE5F0
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_029BE5E0
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C440D7
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C44C48
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C46DB1
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C40858
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C49308
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C4B141
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C4B150
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C4C102
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C4BC80
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C46DBF
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C40848
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C44861
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C44870
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C499B1
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_095F0040
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_095F0006
    Source: x4VGltSj0j.exe, 00000000.00000002.557049531.0000000003FDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRegive.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000000.00000002.565716267.0000000007280000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRegive.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000000.00000000.537587805.000000000063A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameoXQF.exe8 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000000.00000002.552960704.0000000000BA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.00000000038F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.00000000038F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.00000000038F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.830963425.0000000006D60000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.828540594.0000000005380000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.831505187.0000000007170000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.831505187.0000000007170000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000003.572812783.000000000619B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.831774560.00000000071AE000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.803744926.0000000000BBA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.831317891.0000000007018000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.828765767.00000000053B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.828765767.00000000053B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.830668276.0000000006D20000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.830818875.0000000006D40000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003BE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.830884662.0000000006D50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003971000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.831505187.0000000007198000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.830628451.0000000006D10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.829167301.0000000006080000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.830754670.0000000006D30000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.828461289.0000000005370000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.828091311.00000000050B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.831120142.0000000006FF0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000008.00000002.595768511.0000000003F03000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRegive.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 00000008.00000002.588315692.0000000000D08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 0000000C.00000002.624499056.0000000003EC9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 0000000C.00000002.624499056.0000000003EC9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 0000000C.00000002.624499056.0000000003EC9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 0000000C.00000002.622056821.000000000124A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 0000000C.00000002.623571308.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exe, 0000000C.00000002.623571308.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exeBinary or memory string: OriginalFilenameoXQF.exe8 vs x4VGltSj0j.exe
    Source: x4VGltSj0j.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: dhcpmon.exe.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: x4VGltSj0j.exeReversingLabs: Detection: 21%
    Source: x4VGltSj0j.exeVirustotal: Detection: 28%
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeFile read: C:\Users\user\Desktop\x4VGltSj0j.exeJump to behavior
    Source: x4VGltSj0j.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: unknownProcess created: C:\Users\user\Desktop\x4VGltSj0j.exe C:\Users\user\Desktop\x4VGltSj0j.exe
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess created: C:\Users\user\Desktop\x4VGltSj0j.exe C:\Users\user\Desktop\x4VGltSj0j.exe
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp8CAB.tmp
    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8E42.tmp
    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Users\user\Desktop\x4VGltSj0j.exe C:\Users\user\Desktop\x4VGltSj0j.exe 0
    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess created: C:\Users\user\Desktop\x4VGltSj0j.exe C:\Users\user\Desktop\x4VGltSj0j.exe
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess created: C:\Users\user\Desktop\x4VGltSj0j.exe C:\Users\user\Desktop\x4VGltSj0j.exe
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp8CAB.tmp
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8E42.tmp
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess created: C:\Users\user\Desktop\x4VGltSj0j.exe C:\Users\user\Desktop\x4VGltSj0j.exe
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\x4VGltSj0j.exe.logJump to behavior
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeFile created: C:\Users\user\AppData\Local\Temp\tmp8CAB.tmpJump to behavior
    Source: classification engineClassification label: mal100.troj.evad.winEXE@18/10@3/1
    Source: x4VGltSj0j.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{540c4d56-ad4d-4ca4-9f9f-305dba1da640}
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6800:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6900:120:WilError_01
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
    Source: x4VGltSj0j.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: x4VGltSj0j.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: x4VGltSj0j.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: mscorlib.pdb source: x4VGltSj0j.exe, 00000003.00000002.803744926.0000000000C15000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: oXQF.pdbSHA256; source: x4VGltSj0j.exe, dhcpmon.exe.3.dr
    Source: Binary string: oXQF.pdb source: x4VGltSj0j.exe, dhcpmon.exe.3.dr
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.830668276.0000000006D20000.00000004.08000000.00040000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.830963425.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.830818875.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.830628451.0000000006D10000.00000004.08000000.00040000.00000000.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.830884662.0000000006D50000.00000004.08000000.00040000.00000000.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.830754670.0000000006D30000.00000004.08000000.00040000.00000000.sdmp

    Data Obfuscation

    barindex
    .NET source code contains potential unpacker
    Source: x4VGltSj0j.exe, frmDangNhap.cs.Net Code: InitializeComponent System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
    Source: 0.0.x4VGltSj0j.exe.570000.0.unpack, frmDangNhap.cs.Net Code: InitializeComponent System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
    Source: dhcpmon.exe.3.dr, frmDangNhap.cs.Net Code: InitializeComponent System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654D216 push es; retf
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654D21E push es; retf
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654D21A push es; retf
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654D20E push es; retf
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654D236 push es; retf
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654D232 push es; retf
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654D23A push es; retf
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654D226 push es; retf
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654D222 push es; retf
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654D22E push es; retf
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654D22A push es; retf
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654D282 push es; retf
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654D06E push es; retf
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654D022 push es; retf
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654D0BA push es; retf
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654D152 push es; retf
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654D106 push es; retf
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654D1EA push es; retf
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654D19E push es; retf
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654CFD6 push es; retf
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654CF8A push es; retf
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_0654C85A push 8B000005h; retf
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C407A8 push cs; ret
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C4C5C0 push ebx; ret
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C4C591 push edx; ret
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C4D2F0 pushad ; ret
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C4D27A pushad ; ret
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C440A0 pushfd ; ret
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C44079 pushfd ; ret
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C40AB8 push cs; ret
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 8_2_06C40A70 push cs; ret
    Source: x4VGltSj0j.exeStatic PE information: 0xBD56133A [Fri Aug 29 10:47:22 2070 UTC]
    Source: initial sampleStatic PE information: section name: .text entropy: 7.620478844643008
    Source: initial sampleStatic PE information: section name: .text entropy: 7.620478844643008
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

    Boot Survival

    barindex
    Uses schtasks.exe or at.exe to add and modify task schedules
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp8CAB.tmp

    Hooking and other Techniques for Hiding and Protection

    barindex
    Hides that the sample has been downloaded from the Internet (zone.identifier)
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeFile opened: C:\Users\user\Desktop\x4VGltSj0j.exe:Zone.Identifier read attributes | delete
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\Desktop\x4VGltSj0j.exe TID: 5468Thread sleep time: -41202s >= -30000s
    Source: C:\Users\user\Desktop\x4VGltSj0j.exe TID: 5448Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\Desktop\x4VGltSj0j.exe TID: 2444Thread sleep time: -8301034833169293s >= -30000s
    Source: C:\Users\user\Desktop\x4VGltSj0j.exe TID: 7036Thread sleep time: -41202s >= -30000s
    Source: C:\Users\user\Desktop\x4VGltSj0j.exe TID: 5184Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7068Thread sleep time: -41202s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 3048Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4108Thread sleep time: -41202s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 944Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6904Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\Desktop\x4VGltSj0j.exe TID: 1032Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5684Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeWindow / User API: threadDelayed 9576
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeWindow / User API: foregroundWindowGot 762
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeWindow / User API: foregroundWindowGot 647
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess information queried: ProcessInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeThread delayed: delay time: 41202
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeThread delayed: delay time: 41202
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 41202
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 41202
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: x4VGltSj0j.exe, 00000003.00000003.617919152.0000000000C6C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess token adjusted: Debug
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeCode function: 3_2_06543C40 LdrInitializeThunk,
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeMemory allocated: page read and write | page guard

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Injects a PE file into a foreign processes
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeMemory written: C:\Users\user\Desktop\x4VGltSj0j.exe base: 400000 value starts with: 4D5A
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeMemory written: C:\Users\user\Desktop\x4VGltSj0j.exe base: 400000 value starts with: 4D5A
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5A
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess created: C:\Users\user\Desktop\x4VGltSj0j.exe C:\Users\user\Desktop\x4VGltSj0j.exe
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp8CAB.tmp
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8E42.tmp
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeProcess created: C:\Users\user\Desktop\x4VGltSj0j.exe C:\Users\user\Desktop\x4VGltSj0j.exe
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.806981583.0000000002DE3000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.806981583.0000000002CF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerD$
    Source: x4VGltSj0j.exe, 00000003.00000002.832353745.000000000841E000.00000004.00000010.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.831095958.0000000006FEE000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Managerram Manager
    Source: x4VGltSj0j.exe, 00000003.00000002.832261158.00000000080DD000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Manager 4L0s
    Source: x4VGltSj0j.exe, 00000003.00000002.830604776.0000000006D0E000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Managerram Manager`
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.0000000002AAF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerHa
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Users\user\Desktop\x4VGltSj0j.exe VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Users\user\Desktop\x4VGltSj0j.exe VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Users\user\Desktop\x4VGltSj0j.exe VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Users\user\Desktop\x4VGltSj0j.exe VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Users\user\Desktop\x4VGltSj0j.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

    Stealing of Sensitive Information

    barindex
    Yara detected Nanocore RAT
    Source: Yara matchFile source: 3.2.x4VGltSj0j.exe.53b0000.16.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.x4VGltSj0j.exe.4044ce8.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.x4VGltSj0j.exe.3f1060c.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 3.2.x4VGltSj0j.exe.53b0000.16.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.x4VGltSj0j.exe.40120c8.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.x4VGltSj0j.exe.3f0b7d6.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.x4VGltSj0j.exe.40120c8.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.x4VGltSj0j.exe.3f1060c.3.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 3.2.x4VGltSj0j.exe.53b4629.17.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.x4VGltSj0j.exe.3f14c35.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.x4VGltSj0j.exe.4044ce8.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.x4VGltSj0j.exe.3fdb2a8.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0000000C.00000002.624499056.0000000003EC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000003.00000002.828765767.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000002.624520249.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.557049531.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.623571308.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: x4VGltSj0j.exe PID: 5476, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: x4VGltSj0j.exe PID: 6704, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6796, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: x4VGltSj0j.exe PID: 6752, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Detected Nanocore Rat
    Source: x4VGltSj0j.exe, 00000000.00000002.557049531.0000000003FDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
    Source: x4VGltSj0j.exe, 00000003.00000002.831317891.0000000007010000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.00000000038F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 00000003.00000002.830963425.0000000006D60000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 00000003.00000002.830963425.0000000006D60000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
    Source: x4VGltSj0j.exe, 00000003.00000002.828540594.0000000005380000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 00000003.00000002.831505187.0000000007170000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 00000003.00000003.572812783.000000000619B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 00000003.00000002.828765767.00000000053B0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
    Source: x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
    Source: x4VGltSj0j.exe, 00000003.00000002.830668276.0000000006D20000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 00000003.00000002.830818875.0000000006D40000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 00000003.00000002.830818875.0000000006D40000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
    Source: x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
    Source: x4VGltSj0j.exe, 00000003.00000002.830884662.0000000006D50000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 00000003.00000002.830628451.0000000006D10000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 00000003.00000002.830628451.0000000006D10000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
    Source: x4VGltSj0j.exe, 00000003.00000002.830754670.0000000006D30000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 00000003.00000002.830754670.0000000006D30000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
    Source: x4VGltSj0j.exe, 00000003.00000002.828461289.0000000005370000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 00000003.00000002.828091311.00000000050B0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 00000003.00000002.828091311.00000000050B0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: x4VGltSj0j.exe, 00000003.00000002.831774560.00000000071A0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 00000003.00000002.831120142.0000000006FF0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: dhcpmon.exe, 0000000B.00000002.624520249.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: dhcpmon.exe, 0000000B.00000002.624520249.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: dhcpmon.exe, 0000000B.00000002.617492931.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 0000000C.00000002.624499056.0000000003EC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 0000000C.00000002.624499056.0000000003EC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: x4VGltSj0j.exe, 0000000C.00000002.623571308.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: x4VGltSj0j.exe, 0000000C.00000002.623571308.0000000002EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Yara detected Nanocore RAT
    Source: Yara matchFile source: 3.2.x4VGltSj0j.exe.53b0000.16.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.x4VGltSj0j.exe.4044ce8.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.x4VGltSj0j.exe.3f1060c.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 3.2.x4VGltSj0j.exe.53b0000.16.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.x4VGltSj0j.exe.40120c8.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.x4VGltSj0j.exe.3f0b7d6.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.x4VGltSj0j.exe.40120c8.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.x4VGltSj0j.exe.3f1060c.3.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 3.2.x4VGltSj0j.exe.53b4629.17.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 12.2.x4VGltSj0j.exe.3f14c35.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.x4VGltSj0j.exe.4044ce8.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.x4VGltSj0j.exe.3fdb2a8.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0000000C.00000002.624499056.0000000003EC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000003.00000002.828765767.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000B.00000002.624520249.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.557049531.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000C.00000002.623571308.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: x4VGltSj0j.exe PID: 5476, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: x4VGltSj0j.exe PID: 6704, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6796, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: x4VGltSj0j.exe PID: 6752, type: MEMORYSTR

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts1
    Scheduled Task/Job    		1
    Scheduled Task/Job    		112
    Process Injection    		2
    Masquerading    		21
    Input Capture    		11
    Security Software Discovery    		Remote Services21
    Input Capture    		Exfiltration Over Other Network Medium1
    Encrypted Channel    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    Scheduled Task/Job    		1
    Disable or Modify Tools    		LSASS Memory2
    Process Discovery    		Remote Desktop Protocol1
    Archive Collected Data    		Exfiltration Over Bluetooth1
    Non-Standard Port    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
    Virtualization/Sandbox Evasion    		Security Account Manager21
    Virtualization/Sandbox Evasion    		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
    Remote Access Software    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)112
    Process Injection    		NTDS1
    Application Window Discovery    		Distributed Component Object ModelInput CaptureScheduled Transfer1
    Non-Application Layer Protocol    		SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
    Hidden Files and Directories    		LSA Secrets12
    System Information Discovery    		SSHKeyloggingData Transfer Size Limits21
    Application Layer Protocol    		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.common3
    Obfuscated Files or Information    		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup Items12
    Software Packing    		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
    Timestomp    		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 878160 Sample: x4VGltSj0j.exe Startdate: 30/05/2023 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic 2->49 51 Multi AV Scanner detection for domain / URL 2->51 53 Found malware configuration 2->53 55 13 other signatures 2->55 8 x4VGltSj0j.exe 3 2->8         started        12 x4VGltSj0j.exe 2 2->12         started        14 dhcpmon.exe 3 2->14         started        16 dhcpmon.exe 2 2->16         started        process3 file4 45 C:\Users\user\AppData\...\x4VGltSj0j.exe.log, ASCII 8->45 dropped 59 Uses schtasks.exe or at.exe to add and modify task schedules 8->59 61 Injects a PE file into a foreign processes 8->61 18 x4VGltSj0j.exe 1 14 8->18         started        23 x4VGltSj0j.exe 2 12->23         started        25 dhcpmon.exe 2 14->25         started        27 dhcpmon.exe 16->27         started        signatures5 process6 dnsIp7 47 jasonbourneblack.ddns.net 141.98.6.167, 4032, 49694 CMCSUS Germany 18->47 37 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->37 dropped 39 C:\Users\user\AppData\Roaming\...\run.dat, data 18->39 dropped 41 C:\Users\user\AppData\Local\...\tmp8CAB.tmp, XML 18->41 dropped 43 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 18->43 dropped 57 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->57 29 schtasks.exe 1 18->29         started        31 schtasks.exe 1 18->31         started        file8 signatures9 process10 process11 33 conhost.exe 29->33         started        35 conhost.exe 31->35         started       

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    x4VGltSj0j.exe22%ReversingLabsWin32.Trojan.Pwsx
    x4VGltSj0j.exe28%VirustotalBrowse
    x4VGltSj0j.exe100%Joe Sandbox ML

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe22%ReversingLabsWin32.Trojan.Pwsx

    Unpacked PE Files

    No Antivirus matches

    Domains

    SourceDetectionScannerLabelLink
    jasonbourneblack.ddns.net10%VirustotalBrowse

    URLs

    SourceDetectionScannerLabelLink
    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
    http://www.tiro.com0%URL Reputationsafe
    http://www.goodfont.co.kr0%URL Reputationsafe
    http://www.carterandcone.com0%URL Reputationsafe
    http://www.sajatypeworks.com0%URL Reputationsafe
    http://www.typography.netD0%URL Reputationsafe
    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
    http://fontfabrik.com0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/40%URL Reputationsafe
    http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
    http://www.fontbureau.comcom0%URL Reputationsafe
    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
    http://www.carterandcone.comitk0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/jp/Q0%URL Reputationsafe
    http://www.sandoll.co.kr0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/&0%URL Reputationsafe
    http://www.urwpp.deDPlease0%URL Reputationsafe
    http://www.urwpp.deDPlease0%URL Reputationsafe
    http://www.zhongyicts.com.cn0%URL Reputationsafe
    http://www.carterandcone.comscrf:0%Avira URL Cloudsafe
    http://www.sakkal.com0%URL Reputationsafe
    http://www.fontbureau.com.TTF0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/X0%URL Reputationsafe
    http://www.fontbureau.comF0%URL Reputationsafe
    http://www.fontbureau.comF0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/Q0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/jp/o0%URL Reputationsafe
    http://www.fontbureau.comion0%URL Reputationsafe
    http://www.tiro.comlic0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/C0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/jp/u0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/Y0g0%VirustotalBrowse
    http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
    http://www.fontbureau.coma0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/?0%URL Reputationsafe
    127.0.0.10%Avira URL Cloudsafe
    http://www.jiyu-kobo.co.jp/f?0%Avira URL Cloudsafe
    http://www.carterandcone.coml0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/Y0g0%Avira URL Cloudsafe
    http://www.fontbureau.comf?0%Avira URL Cloudsafe
    http://www.urwpp.deN0%Avira URL Cloudsafe
    http://www.urwpp.deI0%Avira URL Cloudsafe
    http://www.fontbureau.comk0%URL Reputationsafe
    http://www.founder.com.cn/cn0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/Y0/0%URL Reputationsafe
    http://www.fontbureau.comcomF0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
    http://www.jiyu-kobo.co.jp/g0%URL Reputationsafe
    http://www.fontbureau.comals0%URL Reputationsafe
    http://www.zhongyicts.com.cno.S0%Avira URL Cloudsafe
    http://www.tiro.comlic60%Avira URL Cloudsafe
    http://www.fontbureau.comcomau0%Avira URL Cloudsafe
    jasonbourneblack.ddns.net100%Avira URL Cloudmalware
    http://www.carterandcone.comenc0%Avira URL Cloudsafe
    http://www.jiyu-kobo.co.jp/jp/f?0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    jasonbourneblack.ddns.net
    		141.98.6.167
    		truetrueunknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    127.0.0.1true
    • Avira URL Cloud: safe
    		unknown
    jasonbourneblack.ddns.nettrue
    • Avira URL Cloud: malware
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://www.fontbureau.com/designersGx4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://www.fontbureau.com/designers/?x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://www.founder.com.cn/cn/bThex4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://www.fontbureau.com/designers?x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.tiro.comx4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541072737.0000000005952000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541363758.0000000005956000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.fontbureau.com/designersx4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://www.jiyu-kobo.co.jp/f?x4VGltSj0j.exe, 00000000.00000003.541863069.0000000005956000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.goodfont.co.krx4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://google.comx4VGltSj0j.exe, 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000003.00000002.830884662.0000000006D50000.00000004.08000000.00040000.00000000.sdmpfalse
              		high
              http://www.carterandcone.comx4VGltSj0j.exe, 00000000.00000003.541363758.0000000005956000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.sajatypeworks.comx4VGltSj0j.exe, 00000000.00000003.539411991.000000000595B000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.539394916.000000000595B000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.jiyu-kobo.co.jp/Y0gx4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://www.typography.netDx4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.founder.com.cn/cn/cThex4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.galapagosdesign.com/staff/dennis.htmx4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://fontfabrik.comx4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.carterandcone.comscrf:x4VGltSj0j.exe, 00000000.00000003.542376102.0000000005942000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.jiyu-kobo.co.jp/4x4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541863069.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.jiyu-kobo.co.jp//x4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541749083.000000000594B000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541863069.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.fontbureau.comcomx4VGltSj0j.exe, 00000000.00000003.542949913.0000000005957000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.galapagosdesign.com/DPleasex4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.carterandcone.comitkx4VGltSj0j.exe, 00000000.00000003.541363758.0000000005956000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.jiyu-kobo.co.jp/jp/Qx4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.fonts.comx4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.sandoll.co.krx4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.jiyu-kobo.co.jp/&x4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.urwpp.deDPleasex4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.zhongyicts.com.cnx4VGltSj0j.exe, 00000000.00000003.541234411.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541204121.0000000005949000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namex4VGltSj0j.exe, 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.sakkal.comx4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com.TTFx4VGltSj0j.exe, 00000000.00000003.542552861.0000000005956000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.comx4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.jiyu-kobo.co.jp/Xx4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.542376102.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.comFx4VGltSj0j.exe, 00000000.00000003.542949913.0000000005957000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.comf?x4VGltSj0j.exe, 00000000.00000003.542949913.0000000005957000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/Qx4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.urwpp.deNx4VGltSj0j.exe, 00000000.00000003.542949913.0000000005957000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/jp/ox4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.urwpp.deIx4VGltSj0j.exe, 00000000.00000003.542949913.0000000005957000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.comionx4VGltSj0j.exe, 00000000.00000003.552697773.0000000005940000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.tiro.comlicx4VGltSj0j.exe, 00000000.00000003.541363758.0000000005956000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/Cx4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541863069.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.542376102.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/jp/ux4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541863069.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.zhongyicts.com.cno.Sx4VGltSj0j.exe, 00000000.00000003.541234411.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541204121.0000000005949000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/jp/x4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541863069.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.comax4VGltSj0j.exe, 00000000.00000003.552697773.0000000005940000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.tiro.comlic6x4VGltSj0j.exe, 00000000.00000003.541363758.0000000005956000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/?x4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.542376102.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.comcomaux4VGltSj0j.exe, 00000000.00000003.542949913.0000000005957000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.carterandcone.comlx4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/cabarga.htmlNx4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.comkx4VGltSj0j.exe, 00000000.00000003.542552861.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.542949913.0000000005957000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.542610815.0000000005956000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cnx4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/frere-user.htmlx4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.jiyu-kobo.co.jp/Y0/x4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.comcomFx4VGltSj0j.exe, 00000000.00000003.542552861.0000000005956000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/x4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541749083.000000000594B000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541863069.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.542376102.0000000005956000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmp, x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers8x4VGltSj0j.exe, 00000000.00000002.562925196.0000000006A52000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.jiyu-kobo.co.jp/gx4VGltSj0j.exe, 00000000.00000003.542277981.0000000005956000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comalsx4VGltSj0j.exe, 00000000.00000003.542949913.0000000005957000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comencx4VGltSj0j.exe, 00000000.00000003.542376102.0000000005942000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designers/x4VGltSj0j.exe, 00000000.00000003.542552861.0000000005942000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://www.jiyu-kobo.co.jp/jp/f?x4VGltSj0j.exe, 00000000.00000003.541968761.0000000005952000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              141.98.6.167
                              		jasonbourneblack.ddns.netGermany
                              		33657CMCSUStrue

                              General Information

                              Joe Sandbox Version:37.1.0 Beryl
                              Analysis ID:878160
                              Start date and time:2023-05-30 13:06:59 +02:00
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 12m 14s
                              Hypervisor based Inspection enabled:false
                              Report type:light
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                              Number of analysed new started processes analysed:14
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample file name:x4VGltSj0j.exe
                              Original Sample Name:20ef67d923f487ff82fb19be1270571c.exe
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@18/10@3/1
                              EGA Information:
                              • Successful, ratio: 100%
                              HDC Information:Failed
                              HCA Information:
                              • Successful, ratio: 97%
                              • Number of executed functions: 0
                              • Number of non-executed functions: 0
                              Cookbook Comments:
                              • Found application associated with file extension: .exe

                              Warnings

                              • Exclude process from analysis (whitelisted): audiodg.exe, WMIADAP.exe
                              • TCP Packets have been reduced to 100
                              • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report creation exceeded maximum time and may have missing disassembly code information.
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              13:07:58API Interceptor922x Sleep call for process: x4VGltSj0j.exe modified
                              13:08:04Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\x4VGltSj0j.exe" s>$(Arg0)
                              13:08:04Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
                              13:08:04AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              13:08:13API Interceptor2x Sleep call for process: dhcpmon.exe modified

                              Joe Sandbox View / Context

                              IPs

                              No context

                              Domains

                              No context

                              ASNs

                              No context

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

                              Download File
                              Process:C:\Users\user\Desktop\x4VGltSj0j.exe
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):816128
                              Entropy (8bit):7.614289847336906
                              Encrypted:false
                              SSDEEP:12288:gX2B0xTGlxNqvNu2hZ+nUEsn9mpwZFYpU2bgnBNMjUw+CR3BJQwV54OEcZPHu/8C:gXLaVUH9994pUbBaQwXR3PJ5CcZOE83
                              MD5:20EF67D923F487FF82FB19BE1270571C
                              SHA1:6E87A3A9A4DBE64F9626F2230CD2FEA63452EE68
                              SHA-256:77DD08FAC6833C6EF555E84C2EF5599ED10B7E6DAD2DA324E4AD643E843709D0
                              SHA-512:C4D628BC4E662E374EC30C141B2FCFD1D5580DFABAB5FCD0343C7482DF8FD4BEEAD39A0D96F2C362534408D39405BC7C5B0A4E2643BE34CA7D0A25352E88258B
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 22%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:.V...............0..j............... ........@.. ....................................@.................................<...O....................................b..p............................................ ............... ..H............text....h... ...j.................. ..`.rsrc................l..............@..@.reloc...............r..............@..B................p.......H.......\...0j......g....W..................................................9...%.r...p.%.r...p.%.r!..p.}......}.....(.......(.....*..*..0..m.........{....o....o....o.........,%.r7..prg..p..0(....&.{....o....&8*....{....o....o....o.........,%.r{..prg..p..0(....&.{....o....&8......9...%.r...p.%..{....o....o.....%.r...p.%..{....o....o.....%.r-..p.(......(w...(.........,I..s).......o......(......{....r1..po......{....r1..po......{....o....&.+D.r3..prg..p..0(....&.{....r1..po....

                              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier

                              Download File
                              Process:C:\Users\user\Desktop\x4VGltSj0j.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):26
                              Entropy (8bit):3.95006375643621
                              Encrypted:false
                              SSDEEP:3:ggPYV:rPYV
                              MD5:187F488E27DB4AF347237FE461A079AD
                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                              Malicious:true
                              Preview:[ZoneTransfer]....ZoneId=0

                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

                              Download File
                              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1216
                              Entropy (8bit):5.355304211458859
                              Encrypted:false
                              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                              MD5:FED34146BF2F2FA59DCF8702FCC8232E
                              SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                              SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                              SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                              Malicious:false
                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\x4VGltSj0j.exe.log

                              Download File
                              Process:C:\Users\user\Desktop\x4VGltSj0j.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1216
                              Entropy (8bit):5.355304211458859
                              Encrypted:false
                              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                              MD5:FED34146BF2F2FA59DCF8702FCC8232E
                              SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                              SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                              SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                              Malicious:true
                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                              C:\Users\user\AppData\Local\Temp\tmp8CAB.tmp

                              Download File
                              Process:C:\Users\user\Desktop\x4VGltSj0j.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1300
                              Entropy (8bit):5.112189246737583
                              Encrypted:false
                              SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Yiqlxtn:cbk4oL600QydbQxIYODOLedq3Rj
                              MD5:C61B35863B7CAE63C3BF834C1D47218B
                              SHA1:ABFDC256D43FDBBF643453B28606B8EAF69BE764
                              SHA-256:A0ABA28B7A1128556AC9777F6CA198CCFE7C5F56E36BAA2E48ADB028E1306004
                              SHA-512:773D5AF6C8BECC81E51F929CD1D9EE10277AC6ACCB181F5F770D7C9CC415B4B00BA21950D0A571F0DC86CDE46D8E306F0EC69E95223CD9576FBC1B8E5059C432
                              Malicious:true
                              Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

                              C:\Users\user\AppData\Local\Temp\tmp8E42.tmp

                              Download File
                              Process:C:\Users\user\Desktop\x4VGltSj0j.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1310
                              Entropy (8bit):5.109425792877704
                              Encrypted:false
                              SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                              MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                              SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                              SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                              SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat

                              Download File
                              Process:C:\Users\user\Desktop\x4VGltSj0j.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):232
                              Entropy (8bit):7.024371743172393
                              Encrypted:false
                              SSDEEP:6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
                              MD5:32D0AAE13696FF7F8AF33B2D22451028
                              SHA1:EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
                              SHA-256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
                              SHA-512:1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
                              Malicious:false
                              Preview:Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.

                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

                              Download File
                              Process:C:\Users\user\Desktop\x4VGltSj0j.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8
                              Entropy (8bit):3.0
                              Encrypted:false
                              SSDEEP:3:pFS:pFS
                              MD5:36948EE65FD386868BE70F538AEBC99B
                              SHA1:1C6953A65B21F617EEDA3D4B3317677E0C9D3D46
                              SHA-256:52460DA195769319AD0040E6797184DEF0F19BB5CDB11F33A80074E8679ED650
                              SHA-512:DEAE3F751D14F616C80C95843D928693391725A6877FFC66D8C830EC767CD111C41EAB50461AC6D5982D4AE720B57D12033028B37439FF20001611FD19ABB1D9
                              Malicious:true
                              Preview:...".`.H

                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat

                              Download File
                              Process:C:\Users\user\Desktop\x4VGltSj0j.exe
                              File Type:data
                              Category:modified
                              Size (bytes):327432
                              Entropy (8bit):7.99938831605763
                              Encrypted:true
                              SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                              MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                              SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                              SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                              SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                              Malicious:false
                              Preview:pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7

                              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat

                              Download File
                              Process:C:\Users\user\Desktop\x4VGltSj0j.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):37
                              Entropy (8bit):4.17257423112624
                              Encrypted:false
                              SSDEEP:3:oNt+WfWdRziJRyJn:oNwv/iJQJn
                              MD5:532BBBFDD3C8A8902604F29875D82A81
                              SHA1:F68BEF17A8BD41B7CA3F209D8B5EC68E549A456F
                              SHA-256:9E2E102670F2FA1556AC0711F9C5CC4436C86E2765BE5E0205D04F6E171B8D1F
                              SHA-512:FF8CFD7F42A5B1966ADDAC7AF89EC5AE683BD14020B698D895679D907FAB717B7CFAAF5AD09E73446BFE1CA0161152C88C66D974275E039A4C7C141C8669C5ED
                              Malicious:false
                              Preview:C:\Users\user\Desktop\x4VGltSj0j.exe

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Entropy (8bit):7.614289847336906
                              TrID:
                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                              • Win32 Executable (generic) a (10002005/4) 49.78%
                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                              • Generic Win/DOS Executable (2004/3) 0.01%
                              • DOS Executable Generic (2002/1) 0.01%
                              File name:x4VGltSj0j.exe
                              File size:816128
                              MD5:20ef67d923f487ff82fb19be1270571c
                              SHA1:6e87a3a9a4dbe64f9626f2230cd2fea63452ee68
                              SHA256:77dd08fac6833c6ef555e84c2ef5599ed10b7e6dad2da324e4ad643e843709d0
                              SHA512:c4d628bc4e662e374ec30c141b2fcfd1d5580dfabab5fcd0343c7482df8fd4beead39a0d96f2c362534408d39405bc7c5b0a4e2643be34ca7d0a25352e88258b
                              SSDEEP:12288:gX2B0xTGlxNqvNu2hZ+nUEsn9mpwZFYpU2bgnBNMjUw+CR3BJQwV54OEcZPHu/8C:gXLaVUH9994pUbBaQwXR3PJ5CcZOE83
                              TLSH:8005F141B5BB4B1BC1BA53F48500A2712BBE269DB8B2E31F4EDBF4D76551F014A81B23
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:.V...............0..j............... ........@.. ....................................@................................

                              File Icon

                              Icon Hash:90cececece8e8eb0

                              Static PE Info

                              General

                              Entrypoint:0x4c888e
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Time Stamp:0xBD56133A [Fri Aug 29 10:47:22 2070 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                              Entrypoint Preview

                              Instruction
                              jmp dword ptr [00402000h]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0xc883c0x4f.text
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xca0000x5a4.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xcc0000xc.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0xc621c0x70.text
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x20000xc68940xc6a00False0.8787390851164254data7.620478844643008IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rsrc0xca0000x5a40x600False0.4212239583333333data4.0770589259622545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0xcc0000xc0x200False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountry
                              RT_VERSION0xca0900x314data
                              RT_MANIFEST0xca3b40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                              Imports

                              DLLImport
                              mscoree.dll_CorExeMain

                              Network Behavior

                              Snort IDS Alerts

                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                              192.168.2.4141.98.6.1674969440322025019 05/30/23-13:08:06.488254TCP2025019ET TROJAN Possible NanoCore C2 60B496944032192.168.2.4141.98.6.167
                              192.168.2.4141.98.6.1674969440322816766 05/30/23-13:08:09.282700TCP2816766ETPRO TROJAN NanoCore RAT CnC 7496944032192.168.2.4141.98.6.167

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              May 30, 2023 13:08:06.274028063 CEST496944032192.168.2.4141.98.6.167
                              May 30, 2023 13:08:06.301248074 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:06.301433086 CEST496944032192.168.2.4141.98.6.167
                              May 30, 2023 13:08:06.488254070 CEST496944032192.168.2.4141.98.6.167
                              May 30, 2023 13:08:06.564220905 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:06.565438986 CEST496944032192.168.2.4141.98.6.167
                              May 30, 2023 13:08:06.645399094 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:07.538510084 CEST496944032192.168.2.4141.98.6.167
                              May 30, 2023 13:08:07.607856035 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:07.826369047 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:07.852054119 CEST496944032192.168.2.4141.98.6.167
                              May 30, 2023 13:08:07.879791975 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:07.960787058 CEST496944032192.168.2.4141.98.6.167
                              May 30, 2023 13:08:07.969623089 CEST496944032192.168.2.4141.98.6.167
                              May 30, 2023 13:08:08.056312084 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.130402088 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.130459070 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.130477905 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.130494118 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.130592108 CEST496944032192.168.2.4141.98.6.167
                              May 30, 2023 13:08:08.130634069 CEST496944032192.168.2.4141.98.6.167
                              May 30, 2023 13:08:08.156972885 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.157011986 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.157032967 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.157054901 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.157074928 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.157077074 CEST496944032192.168.2.4141.98.6.167
                              May 30, 2023 13:08:08.157098055 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.157108068 CEST496944032192.168.2.4141.98.6.167
                              May 30, 2023 13:08:08.157119036 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.157140970 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.157152891 CEST496944032192.168.2.4141.98.6.167
                              May 30, 2023 13:08:08.157187939 CEST496944032192.168.2.4141.98.6.167
                              May 30, 2023 13:08:08.183305979 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.183341980 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.183362007 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.183403015 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.183413029 CEST496944032192.168.2.4141.98.6.167
                              May 30, 2023 13:08:08.183423042 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.183444977 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.183445930 CEST496944032192.168.2.4141.98.6.167
                              May 30, 2023 13:08:08.183465958 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.183486938 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.183487892 CEST496944032192.168.2.4141.98.6.167
                              May 30, 2023 13:08:08.183509111 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.183528900 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.183538914 CEST496944032192.168.2.4141.98.6.167
                              May 30, 2023 13:08:08.183551073 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.183571100 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.183584929 CEST496944032192.168.2.4141.98.6.167
                              May 30, 2023 13:08:08.183592081 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.183612108 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.183633089 CEST496944032192.168.2.4141.98.6.167
                              May 30, 2023 13:08:08.183633089 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.183653116 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.183655977 CEST496944032192.168.2.4141.98.6.167
                              May 30, 2023 13:08:08.183689117 CEST496944032192.168.2.4141.98.6.167
                              May 30, 2023 13:08:08.211751938 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.211791992 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.211812973 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.211837053 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.211852074 CEST496944032192.168.2.4141.98.6.167
                              May 30, 2023 13:08:08.211858034 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.211879969 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.211880922 CEST496944032192.168.2.4141.98.6.167
                              May 30, 2023 13:08:08.211901903 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.211924076 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.211945057 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.211956978 CEST496944032192.168.2.4141.98.6.167
                              May 30, 2023 13:08:08.211967945 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.211985111 CEST496944032192.168.2.4141.98.6.167
                              May 30, 2023 13:08:08.211988926 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.212011099 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.212038040 CEST496944032192.168.2.4141.98.6.167
                              May 30, 2023 13:08:08.212047100 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.212057114 CEST496944032192.168.2.4141.98.6.167
                              May 30, 2023 13:08:08.212069035 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.212090015 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.212112904 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.212127924 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.212138891 CEST496944032192.168.2.4141.98.6.167
                              May 30, 2023 13:08:08.212151051 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.212152958 CEST496944032192.168.2.4141.98.6.167
                              May 30, 2023 13:08:08.212172985 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.212193966 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.212198973 CEST496944032192.168.2.4141.98.6.167
                              May 30, 2023 13:08:08.212215900 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.212238073 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.212255001 CEST496944032192.168.2.4141.98.6.167
                              May 30, 2023 13:08:08.212270021 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.212277889 CEST496944032192.168.2.4141.98.6.167
                              May 30, 2023 13:08:08.212311029 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.212333918 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.212354898 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.212362051 CEST496944032192.168.2.4141.98.6.167
                              May 30, 2023 13:08:08.212378025 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.212392092 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.212405920 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.212419987 CEST403249694141.98.6.167192.168.2.4
                              May 30, 2023 13:08:08.212434053 CEST403249694141.98.6.167192.168.2.4

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              May 30, 2023 13:08:06.216593981 CEST5968353192.168.2.48.8.8.8
                              May 30, 2023 13:08:06.251574993 CEST53596838.8.8.8192.168.2.4
                              May 30, 2023 13:08:18.664226055 CEST6416753192.168.2.48.8.8.8
                              May 30, 2023 13:08:18.684761047 CEST53641678.8.8.8192.168.2.4
                              May 30, 2023 13:08:24.898333073 CEST5856553192.168.2.48.8.8.8
                              May 30, 2023 13:08:24.919045925 CEST53585658.8.8.8192.168.2.4

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              May 30, 2023 13:08:06.216593981 CEST192.168.2.48.8.8.80x3217Standard query (0)jasonbourneblack.ddns.netA (IP address)IN (0x0001)false
                              May 30, 2023 13:08:18.664226055 CEST192.168.2.48.8.8.80x1d76Standard query (0)jasonbourneblack.ddns.netA (IP address)IN (0x0001)false
                              May 30, 2023 13:08:24.898333073 CEST192.168.2.48.8.8.80x3164Standard query (0)jasonbourneblack.ddns.netA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              May 30, 2023 13:08:06.251574993 CEST8.8.8.8192.168.2.40x3217No error (0)jasonbourneblack.ddns.net141.98.6.167A (IP address)IN (0x0001)false
                              May 30, 2023 13:08:18.684761047 CEST8.8.8.8192.168.2.40x1d76No error (0)jasonbourneblack.ddns.net141.98.6.167A (IP address)IN (0x0001)false
                              May 30, 2023 13:08:24.919045925 CEST8.8.8.8192.168.2.40x3164No error (0)jasonbourneblack.ddns.net141.98.6.167A (IP address)IN (0x0001)false

                              Statistics

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:13:07:53
                              Start date:30/05/2023
                              Path:C:\Users\user\Desktop\x4VGltSj0j.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Users\user\Desktop\x4VGltSj0j.exe
                              Imagebase:0x570000
                              File size:816128 bytes
                              MD5 hash:20EF67D923F487FF82FB19BE1270571C
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.557049531.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.557049531.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.557049531.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.557049531.0000000003FDB000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                              Reputation:low

                              General

                              Target ID:3
                              Start time:13:08:00
                              Start date:30/05/2023
                              Path:C:\Users\user\Desktop\x4VGltSj0j.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Users\user\Desktop\x4VGltSj0j.exe
                              Imagebase:0x540000
                              File size:816128 bytes
                              MD5 hash:20EF67D923F487FF82FB19BE1270571C
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.831317891.0000000007010000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.831317891.0000000007010000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                              • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.831317891.0000000007010000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.831317891.0000000007010000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.830963425.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.830963425.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                              • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.830963425.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.830963425.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.821764606.00000000038F1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.828540594.0000000005380000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.828540594.0000000005380000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                              • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.828540594.0000000005380000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.828540594.0000000005380000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                              • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.821764606.0000000003BEB000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000003.572812783.000000000619B000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.831505187.0000000007170000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.831505187.0000000007170000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                              • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.831505187.0000000007170000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.831505187.0000000007170000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.828765767.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.828765767.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.828765767.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.828765767.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.828765767.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.830668276.0000000006D20000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.830668276.0000000006D20000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                              • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.830668276.0000000006D20000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.830668276.0000000006D20000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.830818875.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.830818875.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                              • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.830818875.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.830818875.0000000006D40000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.830884662.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.830884662.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                              • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.830884662.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.830884662.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                              • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.821764606.0000000003A6F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                              • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.806981583.000000000293C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.830628451.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.830628451.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                              • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.830628451.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.830628451.0000000006D10000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.828461289.0000000005370000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.828461289.0000000005370000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                              • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.828461289.0000000005370000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.828461289.0000000005370000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.830754670.0000000006D30000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.830754670.0000000006D30000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                              • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.830754670.0000000006D30000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.830754670.0000000006D30000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.828091311.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.828091311.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                              • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.828091311.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.828091311.00000000050B0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.831120142.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.831120142.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                              • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.831120142.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.831120142.0000000006FF0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.831774560.00000000071A0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.831774560.00000000071A0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                              • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.831774560.00000000071A0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.831774560.00000000071A0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                              Reputation:low

                              General

                              Target ID:4
                              Start time:13:08:02
                              Start date:30/05/2023
                              Path:C:\Windows\SysWOW64\schtasks.exe
                              Wow64 process (32bit):true
                              Commandline:schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp8CAB.tmp
                              Imagebase:0x1110000
                              File size:185856 bytes
                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              General

                              Target ID:5
                              Start time:13:08:02
                              Start date:30/05/2023
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7c72c0000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              General

                              Target ID:6
                              Start time:13:08:03
                              Start date:30/05/2023
                              Path:C:\Windows\SysWOW64\schtasks.exe
                              Wow64 process (32bit):true
                              Commandline:schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8E42.tmp
                              Imagebase:0x1110000
                              File size:185856 bytes
                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              General

                              Target ID:7
                              Start time:13:08:03
                              Start date:30/05/2023
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7c72c0000
                              File size:625664 bytes
                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              General

                              Target ID:8
                              Start time:13:08:04
                              Start date:30/05/2023
                              Path:C:\Users\user\Desktop\x4VGltSj0j.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Users\user\Desktop\x4VGltSj0j.exe 0
                              Imagebase:0x500000
                              File size:816128 bytes
                              MD5 hash:20EF67D923F487FF82FB19BE1270571C
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Reputation:low

                              General

                              Target ID:9
                              Start time:13:08:04
                              Start date:30/05/2023
                              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
                              Imagebase:0x690000
                              File size:816128 bytes
                              MD5 hash:20EF67D923F487FF82FB19BE1270571C
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Antivirus matches:
                              • Detection: 100%, Joe Sandbox ML
                              • Detection: 22%, ReversingLabs
                              Reputation:low

                              General

                              Target ID:10
                              Start time:13:08:13
                              Start date:30/05/2023
                              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
                              Imagebase:0x630000
                              File size:816128 bytes
                              MD5 hash:20EF67D923F487FF82FB19BE1270571C
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:.Net C# or VB.NET
                              Reputation:low

                              General

                              Target ID:11
                              Start time:13:08:16
                              Start date:30/05/2023
                              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              Imagebase:0xe00000
                              File size:816128 bytes
                              MD5 hash:20EF67D923F487FF82FB19BE1270571C
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.624520249.0000000003271000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.624520249.0000000003271000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000B.00000002.624520249.0000000003271000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.617492931.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                              • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.617492931.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000B.00000002.617492931.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                              Reputation:low

                              General

                              Target ID:12
                              Start time:13:08:16
                              Start date:30/05/2023
                              Path:C:\Users\user\Desktop\x4VGltSj0j.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Users\user\Desktop\x4VGltSj0j.exe
                              Imagebase:0xa90000
                              File size:816128 bytes
                              MD5 hash:20EF67D923F487FF82FB19BE1270571C
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.624499056.0000000003EC9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.624499056.0000000003EC9000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000C.00000002.624499056.0000000003EC9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.623571308.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.623571308.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                              • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000C.00000002.623571308.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                              Reputation:low

                              General

                              Target ID:13
                              Start time:13:08:24
                              Start date:30/05/2023
                              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                              Imagebase:0xf80000
                              File size:816128 bytes
                              MD5 hash:20EF67D923F487FF82FB19BE1270571C
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:.Net C# or VB.NET
                              Reputation:low

                              Disassembly

                              No disassembly