Edit tour

Windows Analysis Report
A1DB2JVWGG.CNT.exe

Overview

General Information

Sample Name:	A1DB2JVWGG.CNT.exe
Analysis ID:	880328
MD5:	a7817732eded62797b0c5e9da109edd7
SHA1:	e7e868e8a529cdd6bd32b4fa3711eff0c9029dbb
SHA256:	95969e3e0c1793e6177d5c5d20c9a667c9f28bb64907ad489682c41668efc29d
Tags:	exeNanoCoreRAT
Infos:

Detection

Nanocore, DarkComet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: NanoCore

Detected Nanocore Rat

Antivirus detection for URL or domain

Antivirus detection for dropped file

Yara detected Nanocore RAT

Snort IDS alert for network traffic

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected DarkComet

Sigma detected: Scheduled temp file as task from temp location

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Uses cmd line tools excessively to alter registry or file data

Machine Learning detection for sample

Drops PE files to the document folder of the user

Allocates memory in foreign processes

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Deletes itself after installation

Creates a thread in another existing process (thread injection)

Adds a directory exclusion to Windows Defender

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses dynamic DNS services

Installs a global keyboard hook

Writes to foreign memory regions

Changes security center settings (notifications, updates, antivirus, firewall)

Disables the Windows task manager (taskmgr)

Creates an undocumented autostart registry key

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Modifies existing windows services

Drops PE files

Tries to load missing DLLs

Yara detected Keylogger Generic

Creates a process in suspended mode (likely to inject code)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Internet Provider seen in connection with other malware

Found potential string decryption / allocating functions

Searches for user specific document files

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Enables driver privileges

Detected TCP or UDP traffic on non-standard ports

Enables security privileges

Classification

Process Tree

System is w10x64

A1DB2JVWGG.CNT.exe (PID: 7460 cmdline: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe MD5: A7817732EDED62797B0C5E9DA109EDD7)

powershell.exe (PID: 7544 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 7552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 7640 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JXayEzy.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 7668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 7660 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXayEzy" /XML "C:\Users\user\AppData\Local\Temp\tmp12D0.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 7688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

A1DB2JVWGG.CNT.exe (PID: 7852 cmdline: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe MD5: A7817732EDED62797B0C5E9DA109EDD7)

A1DB2JVWGG.CNT.exe (PID: 7908 cmdline: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe MD5: A7817732EDED62797B0C5E9DA109EDD7)

A1DB2JVWGG.CNT.exe (PID: 7936 cmdline: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe MD5: A7817732EDED62797B0C5E9DA109EDD7)

A1DB2JVWGG.CNT.exe (PID: 7948 cmdline: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe MD5: A7817732EDED62797B0C5E9DA109EDD7)

cmd.exe (PID: 8032 cmdline: "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe" +s +h MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 8048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

attrib.exe (PID: 8096 cmdline: attrib "C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe" +s +h MD5: A5540E9F87D4CB083BDF8269DEC1CFF9)

cmd.exe (PID: 8040 cmdline: "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\user\Desktop" +s +h MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 8064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

attrib.exe (PID: 8152 cmdline: attrib "C:\Users\user\Desktop" +s +h MD5: A5540E9F87D4CB083BDF8269DEC1CFF9)

JUNE STUB.EXE (PID: 8176 cmdline: "C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE" MD5: 4D9AC7D6E684CD3874B662971B6BC536)

notepad.exe (PID: 7292 cmdline: notepad MD5: D693F13FE3AA2010B854C4C60671B8E2)

msdcsc.exe (PID: 5860 cmdline: "C:\Users\user\Documents\MSDCSC\msdcsc.exe" MD5: A7817732EDED62797B0C5E9DA109EDD7)

powershell.exe (PID: 2680 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Documents\MSDCSC\msdcsc.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 4404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 7672 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JXayEzy.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 7732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 7688 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXayEzy" /XML "C:\Users\user\AppData\Local\Temp\tmp5A49.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 2100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

msdcsc.exe (PID: 6284 cmdline: C:\Users\user\Documents\MSDCSC\msdcsc.exe MD5: A7817732EDED62797B0C5E9DA109EDD7)

msdcsc.exe (PID: 6288 cmdline: C:\Users\user\Documents\MSDCSC\msdcsc.exe MD5: A7817732EDED62797B0C5E9DA109EDD7)

JUNE STUB.EXE (PID: 8152 cmdline: "C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE" MD5: 4D9AC7D6E684CD3874B662971B6BC536)

notepad.exe (PID: 1340 cmdline: notepad MD5: D693F13FE3AA2010B854C4C60671B8E2)

JXayEzy.exe (PID: 7808 cmdline: C:\Users\user\AppData\Roaming\JXayEzy.exe MD5: A7817732EDED62797B0C5E9DA109EDD7)

msdcsc.exe (PID: 7264 cmdline: "C:\Users\user\Documents\MSDCSC\msdcsc.exe" MD5: A7817732EDED62797B0C5E9DA109EDD7)

schtasks.exe (PID: 7804 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXayEzy" /XML "C:\Users\user\AppData\Local\Temp\tmp9C72.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 7772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

msdcsc.exe (PID: 5840 cmdline: C:\Users\user\Documents\MSDCSC\msdcsc.exe MD5: A7817732EDED62797B0C5E9DA109EDD7)

dhcpmon.exe (PID: 6384 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: 4D9AC7D6E684CD3874B662971B6BC536)

msdcsc.exe (PID: 7432 cmdline: "C:\Users\user\Documents\MSDCSC\msdcsc.exe" MD5: A7817732EDED62797B0C5E9DA109EDD7)

schtasks.exe (PID: 7612 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXayEzy" /XML "C:\Users\user\AppData\Local\Temp\tmpE34F.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

msdcsc.exe (PID: 5100 cmdline: C:\Users\user\Documents\MSDCSC\msdcsc.exe MD5: A7817732EDED62797B0C5E9DA109EDD7)

msdcsc.exe (PID: 5236 cmdline: C:\Users\user\Documents\MSDCSC\msdcsc.exe MD5: A7817732EDED62797B0C5E9DA109EDD7)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Nanocore RAT, NanoCore	Nanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.	APT33 The Gorgon Group	https://assets.virustotal.com/reports/2021trends.pdf https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/ https://blog.morphisec.com/syk-crypter-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore

Name	Description	Attribution	Blogpost URLs	Link
DarkComet	DarkComet is one of the most famous RATs, developed by Jean-Pierre Lesueur in 2008. After being used in the Syrian civil war in 2011, Lesuer decided to stop developing the trojan. Indeed, DarkComet is able to enable control over a compromised system through use of a simple graphic user interface. Experts think that this user friendliness is the key of its mass success.	APT33 Lazarus Group Operation C-Major	http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/ https://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/ https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcomet

Malware Configuration

Threatname: DarkComet

{"MUTEX": "DC_MUTEX-75NC51J", "SID": "JUNE 2023", "FWB": "0", "NETDATA": ["timmy08.ddns.net:39399"], "GENCODE": "l2V3BCJaaFmA", "INSTALL": "1", "COMBOPATH": "7", "EDTPATH": "MSDCSC\\msdcsc.exe", "KEYNAME": "chrome", "EDTDATE": "16/04/2007", "PERSINST": "1", "MELT": "1", "CHANGEDATE": "0", "DIRATTRIB": "6", "FILEATTRIB": "6", "SH1": "1", "SH3": "1", "SH7": "1", "SH8": "1", "SH9": "1", "CHIDEF": "1", "CHIDED": "1", "PERS": "1", "OFFLINEK": "1", "BIND": "1", "MULTIBIND": "1"}

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "29684d78-e3d5-43d3-a123-9a499c31", "Group": "JUNE 2023", "Domain1": "timmy08.ddns.net", "Domain2": "timmy06.ddns.net", "Port": 28289, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
Click to see the 7 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000020.00000002.622990283.0000000002C81000.00000004.00001000.00020000.00000000.sdmp	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0xf58:$b: #EOF DARKCOMET DATA -- 0xfd7:$c: DC_MUTEX-
00000027.00000002.468665185.0000000002E81000.00000004.00001000.00020000.00000000.sdmp	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0xf08:$a: #BEGIN DARKCOMET DATA -- 0xfd0:$a: #BEGIN DARKCOMET DATA -- 0xee0:$b: #EOF DARKCOMET DATA -- 0xfaf:$c: DC_MUTEX-
00000027.00000002.468665185.0000000002E7A000.00000004.00001000.00020000.00000000.sdmp	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0x948:$c: DC_MUTEX-
00000013.00000002.639756642.0000000006C60000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
00000013.00000002.639756642.0000000006C60000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
00000013.00000002.639756642.0000000006C60000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b87:$x2: NanoCore.ClientPlugin 0x5b0b:$x3: NanoCore.ClientPluginHost 0x5b9d:$i3: IClientNetwork 0x5b25:$i6: IClientLoggingHost 0x5b44:$i7: IClientNetworkHost 0x57fb:$s1: ClientPlugin 0x5b90:$s1: ClientPlugin 0x6cf4:$s3: IPAddress
00000013.00000002.639756642.0000000006C60000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b0b:$a1: NanoCore.ClientPluginHost 0x5b87:$a2: NanoCore.ClientPlugin 0x6710:$b7: LogClientException 0x5b25:$b9: IClientLoggingHost
0000000C.00000002.400104178.0000000003096000.00000004.00001000.00020000.00000000.sdmp	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0x6e8:$k2: #KCMDDC51#-890
0000002B.00000002.507022400.0000000002ACA000.00000004.00001000.00020000.00000000.sdmp	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0x948:$c: DC_MUTEX-
00000020.00000002.622990283.0000000002C2C000.00000004.00001000.00020000.00000000.sdmp	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0x358:$a: #BEGIN DARKCOMET DATA -- 0x718:$a: #BEGIN DARKCOMET DATA -- 0x4fe:$b: #EOF DARKCOMET DATA -- 0x8be:$b: #EOF DARKCOMET DATA -- 0x379:$c: DC_MUTEX- 0x739:$c: DC_MUTEX-
00000013.00000002.640582585.0000000006CE0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
00000013.00000002.640582585.0000000006CE0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
00000013.00000002.640582585.0000000006CE0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x34e2:$x2: NanoCore.ClientPlugin 0x350b:$x3: NanoCore.ClientPluginHost 0x34d3:$i3: IClientNetwork 0x34f8:$i6: IClientLoggingHost 0x3525:$i7: IClientNetworkHost 0x334e:$s1: ClientPlugin 0x34eb:$s1: ClientPlugin
00000013.00000002.640582585.0000000006CE0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x350b:$a1: NanoCore.ClientPluginHost 0x34e2:$a2: NanoCore.ClientPlugin 0x5854:$b7: LogClientException 0x34f8:$b9: IClientLoggingHost
00000013.00000002.640822750.0000000006D00000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
00000013.00000002.640822750.0000000006D00000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
00000013.00000002.640822750.0000000006D00000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1f1b2:$x2: NanoCore.ClientPlugin 0x1f1db:$x3: NanoCore.ClientPluginHost 0x1f1a3:$i3: IClientNetwork 0x1f1c8:$i6: IClientLoggingHost 0x1f1f5:$i7: IClientNetworkHost 0x1f208:$i8: IClientUIHost 0x1ef12:$s1: ClientPlugin 0x1f1bb:$s1: ClientPlugin
00000013.00000002.640822750.0000000006D00000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1f1db:$a1: NanoCore.ClientPluginHost 0x1f1b2:$a2: NanoCore.ClientPlugin 0x24206:$b7: LogClientException 0x1f1c8:$b9: IClientLoggingHost
0000002B.00000002.507022400.0000000002AA6000.00000004.00001000.00020000.00000000.sdmp	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0x6e8:$k2: #KCMDDC51#-890
00000021.00000002.456486839.00000000039D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000021.00000002.456486839.00000000039D1000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x493c5:$a: NanoCore 0x4941e:$a: NanoCore 0x4945b:$a: NanoCore 0x494d4:$a: NanoCore 0x5cb7f:$a: NanoCore 0x5cb94:$a: NanoCore 0x5cbc9:$a: NanoCore 0x7564b:$a: NanoCore 0x75660:$a: NanoCore 0x75695:$a: NanoCore 0x49427:$b: ClientPlugin 0x49464:$b: ClientPlugin 0x49d62:$b: ClientPlugin 0x49d6f:$b: ClientPlugin 0x5c93b:$b: ClientPlugin 0x5c956:$b: ClientPlugin 0x5c986:$b: ClientPlugin 0x5cb9d:$b: ClientPlugin 0x5cbd2:$b: ClientPlugin 0x75407:$b: ClientPlugin 0x75422:$b: ClientPlugin
00000021.00000002.456486839.00000000039D1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4945b:$a1: NanoCore.ClientPluginHost 0x5cbc9:$a1: NanoCore.ClientPluginHost 0x75695:$a1: NanoCore.ClientPluginHost 0x4941e:$a2: NanoCore.ClientPlugin 0x5cb94:$a2: NanoCore.ClientPlugin 0x75660:$a2: NanoCore.ClientPlugin 0x497f2:$b1: get_BuilderSettings 0x61b0f:$b1: get_BuilderSettings 0x7a5db:$b1: get_BuilderSettings 0x494a9:$b4: IClientAppHost 0x49863:$b6: AddHostEntry 0x498d2:$b7: LogClientException 0x61a7e:$b7: LogClientException 0x7a54a:$b7: LogClientException 0x49847:$b8: PipeExists 0x49496:$b9: IClientLoggingHost 0x5cbe3:$b9: IClientLoggingHost 0x756af:$b9: IClientLoggingHost
0000002B.00000002.507022400.0000000002A7C000.00000004.00001000.00020000.00000000.sdmp	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0x358:$a: #BEGIN DARKCOMET DATA -- 0x718:$a: #BEGIN DARKCOMET DATA -- 0x4fe:$b: #EOF DARKCOMET DATA -- 0x8be:$b: #EOF DARKCOMET DATA -- 0x379:$c: DC_MUTEX- 0x739:$c: DC_MUTEX-
00000027.00000002.468665185.0000000002E56000.00000004.00001000.00020000.00000000.sdmp	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0x6e8:$k2: #KCMDDC51#-890
00000020.00000002.622990283.0000000002C7A000.00000004.00001000.00020000.00000000.sdmp	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0x928:$c: DC_MUTEX- 0xa28:$k2: #KCMDDC51#-890
00000022.00000002.459239135.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000022.00000002.459239135.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x23b7b:$a: NanoCore 0x23bd4:$a: NanoCore 0x23c11:$a: NanoCore 0x23c8a:$a: NanoCore 0x23bdd:$b: ClientPlugin 0x23c1a:$b: ClientPlugin 0x24518:$b: ClientPlugin 0x24525:$b: ClientPlugin 0x1b3d4:$e: KeepAlive 0x24065:$g: LogClientMessage 0x23fe5:$i: get_Connected 0x15bad:$j: #=q 0x15bdd:$j: #=q 0x15c19:$j: #=q 0x15c41:$j: #=q 0x15c71:$j: #=q 0x15ca1:$j: #=q 0x15cd1:$j: #=q 0x15d01:$j: #=q 0x15d1d:$j: #=q 0x15d4d:$j: #=q
00000022.00000002.459239135.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x23c11:$a1: NanoCore.ClientPluginHost 0x23bd4:$a2: NanoCore.ClientPlugin 0x170e7:$b1: get_BuilderSettings 0x23fa8:$b1: get_BuilderSettings 0x23c5f:$b4: IClientAppHost 0x24019:$b6: AddHostEntry 0x17056:$b7: LogClientException 0x24088:$b7: LogClientException 0x23ffd:$b8: PipeExists 0x23c4c:$b9: IClientLoggingHost
00000013.00000002.639572623.0000000006C40000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
00000013.00000002.639572623.0000000006C40000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
00000013.00000002.639572623.0000000006C40000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0x1775:$i3: IClientNetwork 0x16fd:$i6: IClientLoggingHost 0x171c:$i7: IClientNetworkHost 0x1491:$s1: ClientPlugin 0x1768:$s1: ClientPlugin
00000013.00000002.639572623.0000000006C40000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x16e3:$a1: NanoCore.ClientPluginHost 0x175f:$a2: NanoCore.ClientPlugin 0x16fd:$b9: IClientLoggingHost
00000013.00000002.639327601.0000000006C10000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
00000013.00000002.639327601.0000000006C10000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
00000013.00000002.639327601.0000000006C10000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x4b87:$i3: IClientNetwork 0x4bac:$i4: IClientAppHost 0x4bd5:$i5: IClientDataHost 0x4be5:$i7: IClientNetworkHost 0x4bf8:$i9: IClientNameObjectCollection 0x4c1d:$i10: IClientReadOnlyNameObjectCollection 0x49ce:$s1: ClientPlugin 0x4b9f:$s1: ClientPlugin
00000013.00000002.639327601.0000000006C10000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x4b96:$a2: NanoCore.ClientPlugin 0x8558:$b1: get_BuilderSettings 0x4bac:$b4: IClientAppHost
0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Malware_QA_update	VT Research QA uploaded malware - file update.exe	Florian Roth (Nextron Systems)	0x7dd24:$x1: UnActiveOfflineKeylogger 0x84e2c:$x2: BTRESULTDownload File\|Mass Download : File Downloaded , Executing new one in temp dir...\| 0x7dc88:$x3: ActiveOnlineKeylogger 0x7e534:$x6: BTRESULTUpdate from URL\|Update : File Downloaded , Executing new one in temp dir...\| 0x7e3c5:$s2: Command successfully executed!\| 0x65d98:$s3: BTMemoryLoadLibary: Get DLLEntyPoint failed 0x72e28:$s4: I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer! 0x73ae4:$s5: \Internet Explorer\iexplore.exe 0x7d510:$s6: ping 127.0.0.1 -n 4 > NUL && " 0x65f84:$s7: BTMemoryGetProcAddress: DLL doesn't export anything 0x83830:$s8: POST /index.php/1.0
0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp	RAT_DarkComet	Detects DarkComet RAT	Kevin Breen <kevin@techanarchy.net>	0x7e4ac:$a1: #BOT#URLUpdate 0x7e3c5:$a2: Command successfully executed! 0x1408:$b1: FastMM Borland Edition 0x2bf4c:$b2: %s, ClassID: %s 0x72e28:$b3: I wasn't able to open the hosts file 0x7e2b0:$b4: #BOT#VisitUrl 0x6d1c0:$b5: #KCMDDC
0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_DarkCometRat	Yara detected DarkComet	Kevin Breen <kevin@techanarchy.net>
0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_DarkComet	Detects DarkComet	ditekSHen	0x2bf4c:$s1: %s, ClassID: %s 0x2c218:$s2: %s, ProgID: "%s" 0x6d1c0:$s3: #KCMDDC51# 0x7e2b0:$s4: #BOT#VisitUrl 0x7e2c8:$s5: #BOT#OpenUrl 0x7e344:$s6: #BOT#Ping 0x7e38c:$s7: #BOT#RunPrompt 0x7e3f0:$s8: #BOT#CloseServer 0x7e44c:$s9: #BOT#SvrUninstall 0x7e4ac:$s10: #BOT#URLUpdate 0x7e594:$s11: #BOT#URLDownload 0x7e310:$s12: BTRESULTOpen 0x7e358:$s12: BTRESULTPing\|Respond 0x7e3a4:$s12: BTRESULTRun 0x7e40c:$s12: BTRESULTClose 0x7e468:$s12: BTRESULTUninstall\|uninstall 0x7e534:$s12: BTRESULTUpdate 0x82484:$s12: BTRESULTUDP 0x82928:$s12: BTRESULTSyn 0x83654:$s12: BTRESULTVisit 0x839bc:$s12: BTRESULTHTTP
0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp	DarkComet_1	DarkComet RAT	botherder https://github.com/botherder	0x7e2c8:$bot1: #BOT#OpenUrl 0x7e344:$bot2: #BOT#Ping 0x7e38c:$bot3: #BOT#RunPrompt 0x7e44c:$bot4: #BOT#SvrUninstall 0x7e594:$bot5: #BOT#URLDownload 0x7e4ac:$bot6: #BOT#URLUpdate 0x7e2b0:$bot7: #BOT#VisitUrl 0x7e3f0:$bot8: #BOT#CloseServer 0x7e638:$ddos1: DDOSHTTPFLOOD 0x7e650:$ddos2: DDOSSYNFLOOD 0x7e668:$ddos3: DDOSUDPFLOOD 0x7dc88:$keylogger1: ActiveOnlineKeylogger 0x7dcaa:$keylogger1: ActiveOnlineKeylogger 0x7dca8:$keylogger2: UnActiveOnlineKeylogger 0x7dd04:$keylogger3: ActiveOfflineKeylogger 0x7dd26:$keylogger3: ActiveOfflineKeylogger 0x7dd24:$keylogger4: UnActiveOfflineKeylogger 0x7e930:$shell1: ACTIVEREMOTESHELL 0x7e95c:$shell2: SUBMREMOTESHELL 0x7e974:$shell3: KILLREMOTESHELL
0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp	DarkComet_3	unknown	Kevin Breen <kevin@techanarchy.net>	0x7e4ac:$a1: #BOT#URLUpdate 0x7e3c5:$a2: Command successfully executed! 0x1408:$b1: FastMM Borland Edition 0x2bf4c:$b2: %s, ClassID: %s 0x72e28:$b3: I wasn't able to open the hosts file 0x7e2b0:$b4: #BOT#VisitUrl 0x6d1c0:$b5: #KCMDDC
0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp	DarkComet_4	unknown	unknown	0x7e2b0:$a1: #BOT# 0x7e2c8:$a1: #BOT# 0x7e344:$a1: #BOT# 0x7e38c:$a1: #BOT# 0x7e3f0:$a1: #BOT# 0x7e44c:$a1: #BOT# 0x7e4ac:$a1: #BOT# 0x7e594:$a1: #BOT# 0x7e9cc:$a2: WEBCAMSTOP 0x7dd68:$a3: UnActiveOnlineKeyStrokes 0x7e218:$a4: #SendTaskMgr 0x7e6bc:$a5: #RemoteScreenSize 0x7d510:$a6: ping 127.0.0.1 -n 4 > NUL &&
0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Darkcomet_1df27bcc	unknown	unknown	0x839bc:$a1: BTRESULTHTTP Flood\|Http Flood task finished!\| 0x7e32d:$a2: is now open!\| 0x7dc88:$a3: ActiveOnlineKeylogger 0x7e38c:$a4: #BOT#RunPrompt 0x7d434:$a5: GETMONITORS
00000013.00000002.640048341.0000000006C80000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
00000013.00000002.640048341.0000000006C80000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
00000013.00000002.640048341.0000000006C80000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x227f:$x2: NanoCore.ClientPlugin 0x2205:$x3: NanoCore.ClientPluginHost 0x2295:$i3: IClientNetwork 0x221f:$i6: IClientLoggingHost 0x223e:$i7: IClientNetworkHost 0x1f9f:$s1: ClientPlugin 0x2288:$s1: ClientPlugin
00000013.00000002.640048341.0000000006C80000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2205:$a1: NanoCore.ClientPluginHost 0x227f:$a2: NanoCore.ClientPlugin 0x29a0:$b7: LogClientException 0x221f:$b9: IClientLoggingHost
00000013.00000002.625066874.00000000033FB000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2da7a:$a: NanoCore 0x2da9f:$a: NanoCore 0x2daf8:$a: NanoCore 0x3dca3:$a: NanoCore 0x3dcc9:$a: NanoCore 0x3dd25:$a: NanoCore 0x4ab83:$a: NanoCore 0x4abdc:$a: NanoCore 0x4ac0f:$a: NanoCore 0x4ae3b:$a: NanoCore 0x4aeb7:$a: NanoCore 0x4b4d0:$a: NanoCore 0x4b619:$a: NanoCore 0x4baed:$a: NanoCore 0x4bdd4:$a: NanoCore 0x4bdeb:$a: NanoCore 0x54c93:$a: NanoCore 0x54d0f:$a: NanoCore 0x575f2:$a: NanoCore 0x5cbc1:$a: NanoCore 0x5cc3b:$a: NanoCore
00000013.00000002.625066874.00000000033FB000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2da9f:$a1: NanoCore.ClientPluginHost 0x3dcc9:$a1: NanoCore.ClientPluginHost 0x4ae3b:$a1: NanoCore.ClientPluginHost 0x54c93:$a1: NanoCore.ClientPluginHost 0x5cbc1:$a1: NanoCore.ClientPluginHost 0x62b9c:$a1: NanoCore.ClientPluginHost 0x6a637:$a1: NanoCore.ClientPluginHost 0x75621:$a1: NanoCore.ClientPluginHost 0x813cf:$a1: NanoCore.ClientPluginHost 0x8d122:$a1: NanoCore.ClientPluginHost 0x9d803:$a1: NanoCore.ClientPluginHost 0x2da7a:$a2: NanoCore.ClientPlugin 0x3dca3:$a2: NanoCore.ClientPlugin 0x4aeb7:$a2: NanoCore.ClientPlugin 0x54d0f:$a2: NanoCore.ClientPlugin 0x5cc3b:$a2: NanoCore.ClientPlugin 0x62be6:$a2: NanoCore.ClientPlugin 0x6a6d7:$a2: NanoCore.ClientPlugin 0x755f8:$a2: NanoCore.ClientPlugin 0x813a6:$a2: NanoCore.ClientPlugin 0x8d0fd:$a2: NanoCore.ClientPlugin
00000027.00000002.468665185.0000000002E2C000.00000004.00001000.00020000.00000000.sdmp	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0x358:$a: #BEGIN DARKCOMET DATA -- 0x718:$a: #BEGIN DARKCOMET DATA -- 0x4fe:$b: #EOF DARKCOMET DATA -- 0x8be:$b: #EOF DARKCOMET DATA -- 0x379:$c: DC_MUTEX- 0x739:$c: DC_MUTEX-
00000013.00000000.391419117.0000000000CC2000.00000002.00000001.01000000.0000000A.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000013.00000000.391419117.0000000000CC2000.00000002.00000001.01000000.0000000A.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000013.00000000.391419117.0000000000CC2000.00000002.00000001.01000000.0000000A.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000013.00000000.391419117.0000000000CC2000.00000002.00000001.01000000.0000000A.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xff8d:$a1: NanoCore.ClientPluginHost 0xff4d:$a2: NanoCore.ClientPlugin 0x11ea6:$b1: get_BuilderSettings 0xfda9:$b2: ClientLoaderForm.resources 0x115c6:$b3: PluginCommand 0xff7e:$b4: IClientAppHost 0x1a3fe:$b5: GetBlockHash 0x124fe:$b6: AddHostEntry 0x161f1:$b7: LogClientException 0x1246b:$b8: PipeExists 0xffb7:$b9: IClientLoggingHost
00000013.00000002.640453706.0000000006CD0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
00000013.00000002.640453706.0000000006CD0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
00000013.00000002.640453706.0000000006CD0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b70:$x2: NanoCore.ClientPlugin 0x5b99:$x3: NanoCore.ClientPluginHost 0x5b61:$i3: IClientNetwork 0x5b86:$i6: IClientLoggingHost 0x5bb3:$i7: IClientNetworkHost 0x59d4:$s1: ClientPlugin 0x5b79:$s1: ClientPlugin 0x5e84:$s2: EndPoint 0x5e8d:$s3: IPAddress 0x5e97:$s4: IPEndPoint
00000013.00000002.640453706.0000000006CD0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b99:$a1: NanoCore.ClientPluginHost 0x5b70:$a2: NanoCore.ClientPlugin 0x5b86:$b9: IClientLoggingHost
00000013.00000002.639417055.0000000006C20000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
00000013.00000002.639417055.0000000006C20000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
00000013.00000002.639417055.0000000006C20000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x8b70:$i3: IClientNetwork 0x8b95:$i5: IClientDataHost 0x8bbf:$i6: IClientLoggingHost 0x8bd2:$i7: IClientNetworkHost 0x8be5:$i9: IClientNameObjectCollection 0x8902:$s1: ClientPlugin 0x8b88:$s1: ClientPlugin
00000013.00000002.639417055.0000000006C20000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x8bbf:$b9: IClientLoggingHost
00000013.00000002.640195396.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
00000013.00000002.640195396.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
00000013.00000002.640195396.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5ad5:$x2: NanoCore.ClientPlugin 0x59eb:$x3: NanoCore.ClientPluginHost 0x5aeb:$i3: IClientNetwork 0x5a24:$i5: IClientDataHost 0x5a05:$i6: IClientLoggingHost 0x5b48:$i7: IClientNetworkHost 0x5a43:$i8: IClientUIHost 0x6955:$i9: IClientNameObjectCollection 0x54fc:$s1: ClientPlugin 0x5ade:$s1: ClientPlugin 0x6971:$s6: get_ClientSettings
00000013.00000002.640195396.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x59eb:$a1: NanoCore.ClientPluginHost 0x5ad5:$a2: NanoCore.ClientPlugin 0x732e:$b7: LogClientException 0x6941:$b8: PipeExists 0x5a05:$b9: IClientLoggingHost
00000013.00000002.640312728.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
00000013.00000002.640312728.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
00000013.00000002.640312728.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3a8b:$x2: NanoCore.ClientPlugin 0x39eb:$x3: NanoCore.ClientPluginHost 0x3aa1:$i3: IClientNetwork 0x3a43:$i5: IClientDataHost 0x3a05:$i6: IClientLoggingHost 0x3a24:$i7: IClientNetworkHost 0x426c:$i9: IClientNameObjectCollection 0x3741:$s1: ClientPlugin 0x3a94:$s1: ClientPlugin 0x4680:$s2: EndPoint 0x4371:$s3: IPAddress 0x3c83:$s4: IPEndPoint 0x43a3:$s7: get_Connected
00000013.00000002.640312728.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x39eb:$a1: NanoCore.ClientPluginHost 0x3a8b:$a2: NanoCore.ClientPlugin 0x47e1:$b7: LogClientException 0x3a05:$b9: IClientLoggingHost
00000013.00000002.640130436.0000000006C90000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x13a8:$x1: NanoCore.ClientPluginHost
00000013.00000002.640130436.0000000006C90000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
00000013.00000002.640130436.0000000006C90000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x13f2:$x2: NanoCore.ClientPlugin 0x13a8:$x3: NanoCore.ClientPluginHost 0x1408:$i3: IClientNetwork 0x13c2:$i6: IClientLoggingHost 0x1185:$s1: ClientPlugin 0x13fb:$s1: ClientPlugin
00000013.00000002.640130436.0000000006C90000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x13a8:$a1: NanoCore.ClientPluginHost 0x13f2:$a2: NanoCore.ClientPlugin 0x13c2:$b9: IClientLoggingHost
00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1d8a21:$x1: NanoCore.ClientPluginHost 0x2a5261:$x1: NanoCore.ClientPluginHost 0x1d8a5e:$x2: IClientNetworkHost 0x2a529e:$x2: IClientNetworkHost 0x1dc591:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2a8dd1:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp	RAT_DarkComet	Detects DarkComet RAT	Kevin Breen <kevin@techanarchy.net>	0x1a52f4:$a1: #BOT#URLUpdate 0x284314:$a1: #BOT#URLUpdate 0x1a520d:$a2: Command successfully executed! 0x28422d:$a2: Command successfully executed! 0x128250:$b1: FastMM Borland Edition 0x207270:$b1: FastMM Borland Edition 0x152d94:$b2: %s, ClassID: %s 0x231db4:$b2: %s, ClassID: %s 0x199c70:$b3: I wasn't able to open the hosts file 0x278c90:$b3: I wasn't able to open the hosts file 0x1a50f8:$b4: #BOT#VisitUrl 0x284118:$b4: #BOT#VisitUrl 0x194008:$b5: #KCMDDC 0x273028:$b5: #KCMDDC
00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkCometRat	Yara detected DarkComet	Kevin Breen <kevin@techanarchy.net>
00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1d8789:$a: NanoCore 0x1d8799:$a: NanoCore 0x1d89cd:$a: NanoCore 0x1d89e1:$a: NanoCore 0x1d8a21:$a: NanoCore 0x2a4fc9:$a: NanoCore 0x2a4fd9:$a: NanoCore 0x2a520d:$a: NanoCore 0x2a5221:$a: NanoCore 0x2a5261:$a: NanoCore 0x1d87e8:$b: ClientPlugin 0x1d89ea:$b: ClientPlugin 0x1d8a2a:$b: ClientPlugin 0x2a5028:$b: ClientPlugin 0x2a522a:$b: ClientPlugin 0x2a526a:$b: ClientPlugin 0x1d890f:$c: ProjectData 0x2a514f:$c: ProjectData 0x1d9316:$d: DESCrypto 0x2a5b56:$d: DESCrypto 0x1ad1b2:$e: KeepAlive
00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp	DarkComet_1	DarkComet RAT	botherder https://github.com/botherder	0x1a5110:$bot1: #BOT#OpenUrl 0x284130:$bot1: #BOT#OpenUrl 0x1a518c:$bot2: #BOT#Ping 0x2841ac:$bot2: #BOT#Ping 0x1a51d4:$bot3: #BOT#RunPrompt 0x2841f4:$bot3: #BOT#RunPrompt 0x1a5294:$bot4: #BOT#SvrUninstall 0x2842b4:$bot4: #BOT#SvrUninstall 0x1a53dc:$bot5: #BOT#URLDownload 0x2843fc:$bot5: #BOT#URLDownload 0x1a52f4:$bot6: #BOT#URLUpdate 0x284314:$bot6: #BOT#URLUpdate 0x1a50f8:$bot7: #BOT#VisitUrl 0x284118:$bot7: #BOT#VisitUrl 0x1a5238:$bot8: #BOT#CloseServer 0x284258:$bot8: #BOT#CloseServer 0x1a5480:$ddos1: DDOSHTTPFLOOD 0x2844a0:$ddos1: DDOSHTTPFLOOD 0x1a5498:$ddos2: DDOSSYNFLOOD 0x2844b8:$ddos2: DDOSSYNFLOOD 0x1a54b0:$ddos3: DDOSUDPFLOOD
00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp	DarkComet_3	unknown	Kevin Breen <kevin@techanarchy.net>	0x1a52f4:$a1: #BOT#URLUpdate 0x284314:$a1: #BOT#URLUpdate 0x1a520d:$a2: Command successfully executed! 0x28422d:$a2: Command successfully executed! 0x128250:$b1: FastMM Borland Edition 0x207270:$b1: FastMM Borland Edition 0x152d94:$b2: %s, ClassID: %s 0x231db4:$b2: %s, ClassID: %s 0x199c70:$b3: I wasn't able to open the hosts file 0x278c90:$b3: I wasn't able to open the hosts file 0x1a50f8:$b4: #BOT#VisitUrl 0x284118:$b4: #BOT#VisitUrl 0x194008:$b5: #KCMDDC 0x273028:$b5: #KCMDDC
00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp	DarkComet_4	unknown	unknown	0x1a50f8:$a1: #BOT# 0x1a5110:$a1: #BOT# 0x1a518c:$a1: #BOT# 0x1a51d4:$a1: #BOT# 0x1a5238:$a1: #BOT# 0x1a5294:$a1: #BOT# 0x1a52f4:$a1: #BOT# 0x1a53dc:$a1: #BOT# 0x284118:$a1: #BOT# 0x284130:$a1: #BOT# 0x2841ac:$a1: #BOT# 0x2841f4:$a1: #BOT# 0x284258:$a1: #BOT# 0x2842b4:$a1: #BOT# 0x284314:$a1: #BOT# 0x2843fc:$a1: #BOT# 0x1a5814:$a2: WEBCAMSTOP 0x284834:$a2: WEBCAMSTOP 0x1a4bb0:$a3: UnActiveOnlineKeyStrokes 0x283bd0:$a3: UnActiveOnlineKeyStrokes 0x1a5060:$a4: #SendTaskMgr
00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Darkcomet_1df27bcc	unknown	unknown	0x1aa804:$a1: BTRESULTHTTP Flood\|Http Flood task finished!\| 0x289824:$a1: BTRESULTHTTP Flood\|Http Flood task finished!\| 0x1a5175:$a2: is now open!\| 0x284195:$a2: is now open!\| 0x1a4ad0:$a3: ActiveOnlineKeylogger 0x283af0:$a3: ActiveOnlineKeylogger 0x1a51d4:$a4: #BOT#RunPrompt 0x2841f4:$a4: #BOT#RunPrompt 0x1a427c:$a5: GETMONITORS 0x28329c:$a5: GETMONITORS
00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1d8a21:$a1: NanoCore.ClientPluginHost 0x2a5261:$a1: NanoCore.ClientPluginHost 0x1d89e1:$a2: NanoCore.ClientPlugin 0x2a5221:$a2: NanoCore.ClientPlugin 0x1da93a:$b1: get_BuilderSettings 0x2a717a:$b1: get_BuilderSettings 0x1d883d:$b2: ClientLoaderForm.resources 0x2a507d:$b2: ClientLoaderForm.resources 0x1da05a:$b3: PluginCommand 0x2a689a:$b3: PluginCommand 0x1d8a12:$b4: IClientAppHost 0x2a5252:$b4: IClientAppHost 0x1e2e92:$b5: GetBlockHash 0x2af6d2:$b5: GetBlockHash 0x1daf92:$b6: AddHostEntry 0x2a77d2:$b6: AddHostEntry 0x1dec85:$b7: LogClientException 0x2ab4c5:$b7: LogClientException 0x1daeff:$b8: PipeExists 0x2a773f:$b8: PipeExists 0x1d8a4b:$b9: IClientLoggingHost
0000000C.00000002.400104178.000000000306C000.00000004.00001000.00020000.00000000.sdmp	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0x358:$a: #BEGIN DARKCOMET DATA -- 0x718:$a: #BEGIN DARKCOMET DATA -- 0x4fe:$b: #EOF DARKCOMET DATA -- 0x8be:$b: #EOF DARKCOMET DATA -- 0x379:$c: DC_MUTEX- 0x739:$c: DC_MUTEX-
00000013.00000002.637176007.0000000005D10000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000013.00000002.637176007.0000000005D10000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000013.00000002.637176007.0000000005D10000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000013.00000002.637176007.0000000005D10000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
00000013.00000002.637176007.0000000005D10000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
00000013.00000002.631531483.0000000004515000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6b2b7:$a1: NanoCore.ClientPluginHost 0x77059:$a1: NanoCore.ClientPluginHost 0x9bf5d:$a1: NanoCore.ClientPluginHost 0xab39d:$a1: NanoCore.ClientPluginHost 0x6b28e:$a2: NanoCore.ClientPlugin 0x77030:$a2: NanoCore.ClientPlugin 0x9bf34:$a2: NanoCore.ClientPlugin 0xab378:$a2: NanoCore.ClientPlugin 0xab38e:$b4: IClientAppHost 0x793a2:$b7: LogClientException 0xa0f88:$b7: LogClientException 0xaf87d:$b7: LogClientException 0x6b2a4:$b9: IClientLoggingHost 0x77046:$b9: IClientLoggingHost 0x9bf4a:$b9: IClientLoggingHost 0xab3c7:$b9: IClientLoggingHost
00000015.00000002.470317430.0000000004126000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x10d01:$x1: NanoCore.ClientPluginHost 0x10d3e:$x2: IClientNetworkHost 0x14871:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000015.00000002.470317430.0000000004126000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000015.00000002.470317430.0000000004126000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10a69:$a: NanoCore 0x10a79:$a: NanoCore 0x10cad:$a: NanoCore 0x10cc1:$a: NanoCore 0x10d01:$a: NanoCore 0x10ac8:$b: ClientPlugin 0x10cca:$b: ClientPlugin 0x10d0a:$b: ClientPlugin 0x10bef:$c: ProjectData 0x115f6:$d: DESCrypto 0x18fc2:$e: KeepAlive 0x3e636:$e: KeepAlive 0x16fb0:$g: LogClientMessage 0x131ab:$i: get_Connected 0x1192c:$j: #=q 0x1195c:$j: #=q 0x11978:$j: #=q 0x119a8:$j: #=q 0x119c4:$j: #=q 0x119e0:$j: #=q 0x11a10:$j: #=q
00000015.00000002.470317430.0000000004126000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x10d01:$a1: NanoCore.ClientPluginHost 0x10cc1:$a2: NanoCore.ClientPlugin 0x12c1a:$b1: get_BuilderSettings 0x10b1d:$b2: ClientLoaderForm.resources 0x1233a:$b3: PluginCommand 0x10cf2:$b4: IClientAppHost 0x1b172:$b5: GetBlockHash 0x13272:$b6: AddHostEntry 0x16f65:$b7: LogClientException 0x131df:$b8: PipeExists 0x10d2b:$b9: IClientLoggingHost
00000013.00000002.641220331.0000000006D30000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
00000013.00000002.641220331.0000000006D30000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
00000013.00000002.641220331.0000000006D30000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5fc9:$x2: NanoCore.ClientPlugin 0x5fee:$x3: NanoCore.ClientPluginHost 0x5fba:$i3: IClientNetwork 0x5fdf:$i4: IClientAppHost 0x6008:$i5: IClientDataHost 0x6018:$i6: IClientLoggingHost 0x602b:$i7: IClientNetworkHost 0x603e:$i8: IClientUIHost 0x604c:$i9: IClientNameObjectCollection 0x5d70:$s1: ClientPlugin 0x5fd2:$s1: ClientPlugin
00000013.00000002.641220331.0000000006D30000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5fee:$a1: NanoCore.ClientPluginHost 0x5fc9:$a2: NanoCore.ClientPlugin 0x5fdf:$b4: IClientAppHost 0xa4ce:$b7: LogClientException 0x6018:$b9: IClientLoggingHost
0000000C.00000002.397292430.000000000049D000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000000C.00000002.400104178.00000000030BA000.00000004.00001000.00020000.00000000.sdmp	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0x928:$c: DC_MUTEX-
00000013.00000002.631531483.000000000441F000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1f8d3:$a1: NanoCore.ClientPluginHost 0x1f8aa:$a2: NanoCore.ClientPlugin 0x248fe:$b7: LogClientException 0x1f8c0:$b9: IClientLoggingHost
00000013.00000002.636982367.0000000005A80000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000013.00000002.636982367.0000000005A80000.00000004.08000000.00040000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000013.00000002.636982367.0000000005A80000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
00000013.00000002.636982367.0000000005A80000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
00000016.00000002.475372371.00000000033B7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000021.00000002.454672045.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000021.00000002.454672045.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x23ba3:$a: NanoCore 0x23bfc:$a: NanoCore 0x23c39:$a: NanoCore 0x23cb2:$a: NanoCore 0x23c05:$b: ClientPlugin 0x23c42:$b: ClientPlugin 0x24540:$b: ClientPlugin 0x2454d:$b: ClientPlugin 0x1b3fc:$e: KeepAlive 0x2408d:$g: LogClientMessage 0x2400d:$i: get_Connected 0x15bd5:$j: #=q 0x15c05:$j: #=q 0x15c41:$j: #=q 0x15c69:$j: #=q 0x15c99:$j: #=q 0x15cc9:$j: #=q 0x15cf9:$j: #=q 0x15d29:$j: #=q 0x15d45:$j: #=q 0x15d75:$j: #=q
00000021.00000002.454672045.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x23c39:$a1: NanoCore.ClientPluginHost 0x23bfc:$a2: NanoCore.ClientPlugin 0x1710f:$b1: get_BuilderSettings 0x23fd0:$b1: get_BuilderSettings 0x23c87:$b4: IClientAppHost 0x24041:$b6: AddHostEntry 0x1707e:$b7: LogClientException 0x240b0:$b7: LogClientException 0x24025:$b8: PipeExists 0x23c74:$b9: IClientLoggingHost
00000013.00000002.625066874.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x11225:$a1: NanoCore.ClientPluginHost 0x111e8:$a2: NanoCore.ClientPlugin 0x115bc:$b1: get_BuilderSettings 0x11273:$b4: IClientAppHost 0x1162d:$b6: AddHostEntry 0x1169c:$b7: LogClientException 0x11611:$b8: PipeExists 0x11260:$b9: IClientLoggingHost
0000000C.00000002.397292430.00000000004A4000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x199d9:$x1: NanoCore.ClientPluginHost 0x19a16:$x2: IClientNetworkHost 0x1d549:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000002.397292430.00000000004A4000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.397292430.00000000004A4000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x19741:$a: NanoCore 0x19751:$a: NanoCore 0x19985:$a: NanoCore 0x19999:$a: NanoCore 0x199d9:$a: NanoCore 0x197a0:$b: ClientPlugin 0x199a2:$b: ClientPlugin 0x199e2:$b: ClientPlugin 0x198c7:$c: ProjectData 0x1a2ce:$d: DESCrypto 0x21c9a:$e: KeepAlive 0x4730e:$e: KeepAlive 0x1fc88:$g: LogClientMessage 0x1be83:$i: get_Connected 0x1a604:$j: #=q 0x1a634:$j: #=q 0x1a650:$j: #=q 0x1a680:$j: #=q 0x1a69c:$j: #=q 0x1a6b8:$j: #=q 0x1a6e8:$j: #=q
0000000C.00000002.397292430.00000000004A4000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x199d9:$a1: NanoCore.ClientPluginHost 0x19999:$a2: NanoCore.ClientPlugin 0x1b8f2:$b1: get_BuilderSettings 0x197f5:$b2: ClientLoaderForm.resources 0x1b012:$b3: PluginCommand 0x199ca:$b4: IClientAppHost 0x23e4a:$b5: GetBlockHash 0x1bf4a:$b6: AddHostEntry 0x1fc3d:$b7: LogClientException 0x1beb7:$b8: PipeExists 0x19a03:$b9: IClientLoggingHost
00000016.00000002.486347814.0000000005049000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x11681:$x1: NanoCore.ClientPluginHost 0x116be:$x2: IClientNetworkHost 0x151f1:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000016.00000002.486347814.0000000005049000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000016.00000002.486347814.0000000005049000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x113e9:$a: NanoCore 0x113f9:$a: NanoCore 0x1162d:$a: NanoCore 0x11641:$a: NanoCore 0x11681:$a: NanoCore 0x11448:$b: ClientPlugin 0x1164a:$b: ClientPlugin 0x1168a:$b: ClientPlugin 0x1156f:$c: ProjectData 0x11f76:$d: DESCrypto 0x19942:$e: KeepAlive 0x3efb6:$e: KeepAlive 0x17930:$g: LogClientMessage 0x13b2b:$i: get_Connected 0x122ac:$j: #=q 0x122dc:$j: #=q 0x122f8:$j: #=q 0x12328:$j: #=q 0x12344:$j: #=q 0x12360:$j: #=q 0x12390:$j: #=q
00000016.00000002.486347814.0000000005049000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x11681:$a1: NanoCore.ClientPluginHost 0x11641:$a2: NanoCore.ClientPlugin 0x1359a:$b1: get_BuilderSettings 0x1149d:$b2: ClientLoaderForm.resources 0x12cba:$b3: PluginCommand 0x11672:$b4: IClientAppHost 0x1baf2:$b5: GetBlockHash 0x13bf2:$b6: AddHostEntry 0x178e5:$b7: LogClientException 0x13b5f:$b8: PipeExists 0x116ab:$b9: IClientLoggingHost
0000000C.00000002.400104178.00000000030C1000.00000004.00001000.00020000.00000000.sdmp	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0x1070:$a: #BEGIN DARKCOMET DATA -- 0xf80:$b: #EOF DARKCOMET DATA -- 0x104f:$c: DC_MUTEX-
00000015.00000002.442690195.000000000319D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000002B.00000002.507022400.0000000002AD1000.00000004.00001000.00020000.00000000.sdmp	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0xee0:$a: #BEGIN DARKCOMET DATA -- 0xf08:$a: #BEGIN DARKCOMET DATA -- 0xfd0:$b: #EOF DARKCOMET DATA -- 0xf87:$c: DC_MUTEX-
00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xb1e41:$x1: NanoCore.ClientPluginHost 0xb1e7e:$x2: IClientNetworkHost 0xb59b1:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp	RAT_DarkComet	Detects DarkComet RAT	Kevin Breen <kevin@techanarchy.net>	0x7e714:$a1: #BOT#URLUpdate 0x15d734:$a1: #BOT#URLUpdate 0x7e62d:$a2: Command successfully executed! 0x15d64d:$a2: Command successfully executed! 0x1670:$b1: FastMM Borland Edition 0xe0690:$b1: FastMM Borland Edition 0x2c1b4:$b2: %s, ClassID: %s 0x10b1d4:$b2: %s, ClassID: %s 0x73090:$b3: I wasn't able to open the hosts file 0x1520b0:$b3: I wasn't able to open the hosts file 0x7e518:$b4: #BOT#VisitUrl 0x15d538:$b4: #BOT#VisitUrl 0x6d428:$b5: #KCMDDC 0x14c448:$b5: #KCMDDC
00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkCometRat	Yara detected DarkComet	Kevin Breen <kevin@techanarchy.net>
00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb1ba9:$a: NanoCore 0xb1bb9:$a: NanoCore 0xb1ded:$a: NanoCore 0xb1e01:$a: NanoCore 0xb1e41:$a: NanoCore 0xb1c08:$b: ClientPlugin 0xb1e0a:$b: ClientPlugin 0xb1e4a:$b: ClientPlugin 0xb1d2f:$c: ProjectData 0xb2736:$d: DESCrypto 0x356:$e: KeepAlive 0x865d2:$e: KeepAlive 0xba102:$e: KeepAlive 0xdf776:$e: KeepAlive 0x1655f2:$e: KeepAlive 0xb80f0:$g: LogClientMessage 0xb42eb:$i: get_Connected 0xb2a6c:$j: #=q 0xb2a9c:$j: #=q 0xb2ab8:$j: #=q 0xb2ae8:$j: #=q
00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp	DarkComet_1	DarkComet RAT	botherder https://github.com/botherder	0x7e530:$bot1: #BOT#OpenUrl 0x15d550:$bot1: #BOT#OpenUrl 0x7e5ac:$bot2: #BOT#Ping 0x15d5cc:$bot2: #BOT#Ping 0x7e5f4:$bot3: #BOT#RunPrompt 0x15d614:$bot3: #BOT#RunPrompt 0x7e6b4:$bot4: #BOT#SvrUninstall 0x15d6d4:$bot4: #BOT#SvrUninstall 0x7e7fc:$bot5: #BOT#URLDownload 0x15d81c:$bot5: #BOT#URLDownload 0x7e714:$bot6: #BOT#URLUpdate 0x15d734:$bot6: #BOT#URLUpdate 0x7e518:$bot7: #BOT#VisitUrl 0x15d538:$bot7: #BOT#VisitUrl 0x7e658:$bot8: #BOT#CloseServer 0x15d678:$bot8: #BOT#CloseServer 0x7e8a0:$ddos1: DDOSHTTPFLOOD 0x15d8c0:$ddos1: DDOSHTTPFLOOD 0x7e8b8:$ddos2: DDOSSYNFLOOD 0x15d8d8:$ddos2: DDOSSYNFLOOD 0x7e8d0:$ddos3: DDOSUDPFLOOD
00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp	DarkComet_3	unknown	Kevin Breen <kevin@techanarchy.net>	0x7e714:$a1: #BOT#URLUpdate 0x15d734:$a1: #BOT#URLUpdate 0x7e62d:$a2: Command successfully executed! 0x15d64d:$a2: Command successfully executed! 0x1670:$b1: FastMM Borland Edition 0xe0690:$b1: FastMM Borland Edition 0x2c1b4:$b2: %s, ClassID: %s 0x10b1d4:$b2: %s, ClassID: %s 0x73090:$b3: I wasn't able to open the hosts file 0x1520b0:$b3: I wasn't able to open the hosts file 0x7e518:$b4: #BOT#VisitUrl 0x15d538:$b4: #BOT#VisitUrl 0x6d428:$b5: #KCMDDC 0x14c448:$b5: #KCMDDC
00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp	DarkComet_4	unknown	unknown	0x7e518:$a1: #BOT# 0x7e530:$a1: #BOT# 0x7e5ac:$a1: #BOT# 0x7e5f4:$a1: #BOT# 0x7e658:$a1: #BOT# 0x7e6b4:$a1: #BOT# 0x7e714:$a1: #BOT# 0x7e7fc:$a1: #BOT# 0x15d538:$a1: #BOT# 0x15d550:$a1: #BOT# 0x15d5cc:$a1: #BOT# 0x15d614:$a1: #BOT# 0x15d678:$a1: #BOT# 0x15d6d4:$a1: #BOT# 0x15d734:$a1: #BOT# 0x15d81c:$a1: #BOT# 0x7ec34:$a2: WEBCAMSTOP 0x15dc54:$a2: WEBCAMSTOP 0x7dfd0:$a3: UnActiveOnlineKeyStrokes 0x15cff0:$a3: UnActiveOnlineKeyStrokes 0x7e480:$a4: #SendTaskMgr
00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Darkcomet_1df27bcc	unknown	unknown	0x83c24:$a1: BTRESULTHTTP Flood\|Http Flood task finished!\| 0x162c44:$a1: BTRESULTHTTP Flood\|Http Flood task finished!\| 0x7e595:$a2: is now open!\| 0x15d5b5:$a2: is now open!\| 0x7def0:$a3: ActiveOnlineKeylogger 0x15cf10:$a3: ActiveOnlineKeylogger 0x7e5f4:$a4: #BOT#RunPrompt 0x15d614:$a4: #BOT#RunPrompt 0x7d69c:$a5: GETMONITORS 0x15c6bc:$a5: GETMONITORS
00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb1e41:$a1: NanoCore.ClientPluginHost 0xb1e01:$a2: NanoCore.ClientPlugin 0xb3d5a:$b1: get_BuilderSettings 0xb1c5d:$b2: ClientLoaderForm.resources 0xb347a:$b3: PluginCommand 0xb1e32:$b4: IClientAppHost 0xbc2b2:$b5: GetBlockHash 0xb43b2:$b6: AddHostEntry 0xb80a5:$b7: LogClientException 0xb431f:$b8: PipeExists 0xb1e6b:$b9: IClientLoggingHost
00000000.00000002.392562881.0000000002F01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xb1aa9:$x1: NanoCore.ClientPluginHost 0xb1ae6:$x2: IClientNetworkHost 0xb5619:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp	RAT_DarkComet	Detects DarkComet RAT	Kevin Breen <kevin@techanarchy.net>	0x7e37c:$a1: #BOT#URLUpdate 0x7e295:$a2: Command successfully executed! 0x12d8:$b1: FastMM Borland Edition 0x2be1c:$b2: %s, ClassID: %s 0x72cf8:$b3: I wasn't able to open the hosts file 0x7e180:$b4: #BOT#VisitUrl 0x6d090:$b5: #KCMDDC
00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkCometRat	Yara detected DarkComet	Kevin Breen <kevin@techanarchy.net>
00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb1811:$a: NanoCore 0xb1821:$a: NanoCore 0xb1a55:$a: NanoCore 0xb1a69:$a: NanoCore 0xb1aa9:$a: NanoCore 0xb1870:$b: ClientPlugin 0xb1a72:$b: ClientPlugin 0xb1ab2:$b: ClientPlugin 0xb1997:$c: ProjectData 0x3fe786:$c: ProjectData 0xb239e:$d: DESCrypto 0x8623a:$e: KeepAlive 0xb9d6a:$e: KeepAlive 0xdf3de:$e: KeepAlive 0xb7d58:$g: LogClientMessage 0xb3f53:$i: get_Connected 0xb26d4:$j: #=q 0xb2704:$j: #=q 0xb2720:$j: #=q 0xb2750:$j: #=q 0xb276c:$j: #=q
00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp	DarkComet_1	DarkComet RAT	botherder https://github.com/botherder	0x7e198:$bot1: #BOT#OpenUrl 0x7e214:$bot2: #BOT#Ping 0x7e25c:$bot3: #BOT#RunPrompt 0x7e31c:$bot4: #BOT#SvrUninstall 0x7e464:$bot5: #BOT#URLDownload 0x7e37c:$bot6: #BOT#URLUpdate 0x7e180:$bot7: #BOT#VisitUrl 0x7e2c0:$bot8: #BOT#CloseServer 0x7e508:$ddos1: DDOSHTTPFLOOD 0x7e520:$ddos2: DDOSSYNFLOOD 0x7e538:$ddos3: DDOSUDPFLOOD 0x7db58:$keylogger1: ActiveOnlineKeylogger 0x7db7a:$keylogger1: ActiveOnlineKeylogger 0x7db78:$keylogger2: UnActiveOnlineKeylogger 0x7dbd4:$keylogger3: ActiveOfflineKeylogger 0x7dbf6:$keylogger3: ActiveOfflineKeylogger 0x7dbf4:$keylogger4: UnActiveOfflineKeylogger 0x7e800:$shell1: ACTIVEREMOTESHELL 0x7e82c:$shell2: SUBMREMOTESHELL 0x7e844:$shell3: KILLREMOTESHELL
00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp	DarkComet_3	unknown	Kevin Breen <kevin@techanarchy.net>	0x7e37c:$a1: #BOT#URLUpdate 0x7e295:$a2: Command successfully executed! 0x12d8:$b1: FastMM Borland Edition 0x2be1c:$b2: %s, ClassID: %s 0x72cf8:$b3: I wasn't able to open the hosts file 0x7e180:$b4: #BOT#VisitUrl 0x6d090:$b5: #KCMDDC
00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp	DarkComet_4	unknown	unknown	0x7e180:$a1: #BOT# 0x7e198:$a1: #BOT# 0x7e214:$a1: #BOT# 0x7e25c:$a1: #BOT# 0x7e2c0:$a1: #BOT# 0x7e31c:$a1: #BOT# 0x7e37c:$a1: #BOT# 0x7e464:$a1: #BOT# 0x7e89c:$a2: WEBCAMSTOP 0x7dc38:$a3: UnActiveOnlineKeyStrokes 0x7e0e8:$a4: #SendTaskMgr 0x7e58c:$a5: #RemoteScreenSize 0x7d3e0:$a6: ping 127.0.0.1 -n 4 > NUL &&
00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Darkcomet_1df27bcc	unknown	unknown	0x8388c:$a1: BTRESULTHTTP Flood\|Http Flood task finished!\| 0x7e1fd:$a2: is now open!\| 0x7db58:$a3: ActiveOnlineKeylogger 0x7e25c:$a4: #BOT#RunPrompt 0x7d304:$a5: GETMONITORS
00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb1aa9:$a1: NanoCore.ClientPluginHost 0xb1a69:$a2: NanoCore.ClientPlugin 0xb39c2:$b1: get_BuilderSettings 0xb18c5:$b2: ClientLoaderForm.resources 0xb30e2:$b3: PluginCommand 0xb1a9a:$b4: IClientAppHost 0xbbf1a:$b5: GetBlockHash 0xb401a:$b6: AddHostEntry 0xb7d0d:$b7: LogClientException 0xb3f87:$b8: PipeExists 0xb1ad3:$b9: IClientLoggingHost
Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7460	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x3fd26:$x1: NanoCore.ClientPluginHost 0x3fd63:$x2: IClientNetworkHost 0x43811:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4e803:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5d187:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7460	RAT_DarkComet	Detects DarkComet RAT	Kevin Breen <kevin@techanarchy.net>	0x35362:$a1: #BOT#URLUpdate 0x35219:$a2: Command successfully executed! 0x3523b:$a2: Command successfully executed! 0x2bc0d:$b1: FastMM Borland Edition 0x2bc26:$b1: FastMM Borland Edition 0x2e1ba:$b2: %s, ClassID: %s 0x2e1ca:$b2: %s, ClassID: %s 0x33fa1:$b3: I wasn't able to open the hosts file 0x33ff9:$b3: I wasn't able to open the hosts file 0x3513d:$b4: #BOT#VisitUrl 0x33607:$b5: #KCMDDC
Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7460	JoeSecurity_DarkCometRat	Yara detected DarkComet	Kevin Breen <kevin@techanarchy.net>
Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7460	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7460	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7460	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3fa1e:$a: NanoCore 0x3fa2e:$a: NanoCore 0x3fac2:$a: NanoCore 0x3fad1:$a: NanoCore 0x3fcd2:$a: NanoCore 0x3fce6:$a: NanoCore 0x3fd26:$a: NanoCore 0x4ae6d:$a: NanoCore 0x4ae7f:$a: NanoCore 0x4aebb:$a: NanoCore 0x597f1:$a: NanoCore 0x59803:$a: NanoCore 0x5983f:$a: NanoCore 0x3fa76:$b: ClientPlugin 0x3fb1b:$b: ClientPlugin 0x3fcef:$b: ClientPlugin 0x3fd2f:$b: ClientPlugin 0x4ae88:$b: ClientPlugin 0x4aec4:$b: ClientPlugin 0x5980c:$b: ClientPlugin 0x59848:$b: ClientPlugin
Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7460	DarkComet_1	DarkComet RAT	botherder https://github.com/botherder	0x3514c:$bot1: #BOT#OpenUrl 0x3518a:$bot2: #BOT#Ping 0x35195:$bot2: #BOT#Ping 0x351f4:$bot3: #BOT#RunPrompt 0x352dd:$bot4: #BOT#SvrUninstall 0x354cd:$bot5: #BOT#URLDownload 0x35362:$bot6: #BOT#URLUpdate 0x3513d:$bot7: #BOT#VisitUrl 0x3525b:$bot8: #BOT#CloseServer 0x35522:$ddos1: DDOSHTTPFLOOD 0x35531:$ddos2: DDOSSYNFLOOD 0x3553e:$ddos3: DDOSUDPFLOOD 0x34d25:$keylogger1: ActiveOnlineKeylogger 0x34d3d:$keylogger1: ActiveOnlineKeylogger 0x34d3b:$keylogger2: UnActiveOnlineKeylogger 0x34d73:$keylogger3: ActiveOfflineKeylogger 0x34d8c:$keylogger3: ActiveOfflineKeylogger 0x34d8a:$keylogger4: UnActiveOfflineKeylogger 0x356d0:$shell1: ACTIVEREMOTESHELL 0x356e9:$shell2: SUBMREMOTESHELL 0x356f9:$shell3: KILLREMOTESHELL
Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7460	DarkComet_3	unknown	Kevin Breen <kevin@techanarchy.net>	0x35362:$a1: #BOT#URLUpdate 0x35219:$a2: Command successfully executed! 0x3523b:$a2: Command successfully executed! 0x2bc0d:$b1: FastMM Borland Edition 0x2bc26:$b1: FastMM Borland Edition 0x2e1ba:$b2: %s, ClassID: %s 0x2e1ca:$b2: %s, ClassID: %s 0x33fa1:$b3: I wasn't able to open the hosts file 0x33ff9:$b3: I wasn't able to open the hosts file 0x3513d:$b4: #BOT#VisitUrl 0x33607:$b5: #KCMDDC
Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7460	DarkComet_4	unknown	unknown	0x3513d:$a1: #BOT# 0x3514c:$a1: #BOT# 0x3518a:$a1: #BOT# 0x35195:$a1: #BOT# 0x351f4:$a1: #BOT# 0x3525b:$a1: #BOT# 0x352dd:$a1: #BOT# 0x35362:$a1: #BOT# 0x354cd:$a1: #BOT# 0x35730:$a2: WEBCAMSTOP 0x34dba:$a3: UnActiveOnlineKeyStrokes 0x350d4:$a4: #SendTaskMgr 0x350e9:$a4: #SendTaskMgr 0x3556e:$a5: #RemoteScreenSize 0x3492e:$a6: ping 127.0.0.1 -n 4 > NUL &&
Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7460	Windows_Trojan_Darkcomet_1df27bcc	unknown	unknown	0x35dea:$a1: BTRESULTHTTP Flood\|Http Flood task finished!\| 0x3517c:$a2: is now open!\| 0x34d25:$a3: ActiveOnlineKeylogger 0x351f4:$a4: #BOT#RunPrompt 0x348c3:$a5: GETMONITORS
Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7460	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3fd26:$a1: NanoCore.ClientPluginHost 0x3fce6:$a2: NanoCore.ClientPlugin 0x41bba:$b1: get_BuilderSettings 0x3faa7:$b2: ClientLoaderForm.resources 0x412da:$b3: PluginCommand 0x3fd17:$b4: IClientAppHost 0x4a0f1:$b5: GetBlockHash 0x42212:$b6: AddHostEntry 0x4d29d:$b6: AddHostEntry 0x5bc21:$b6: AddHostEntry 0x45f05:$b7: LogClientException 0x50dde:$b7: LogClientException 0x5f762:$b7: LogClientException 0x4217f:$b8: PipeExists 0x4d211:$b8: PipeExists 0x5bb95:$b8: PipeExists 0x3fd50:$b9: IClientLoggingHost
Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7948	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x2540b:$x1: NanoCore.ClientPluginHost 0x25448:$x2: IClientNetworkHost 0x28f39:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x33fbf:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7948	RAT_DarkComet	Detects DarkComet RAT	Kevin Breen <kevin@techanarchy.net>	0xccc0:$a1: #BOT#URLUpdate 0xcb77:$a2: Command successfully executed! 0xcb99:$a2: Command successfully executed! 0x356b:$b1: FastMM Borland Edition 0x3584:$b1: FastMM Borland Edition 0x5b18:$b2: %s, ClassID: %s 0x5b28:$b2: %s, ClassID: %s 0xb8ff:$b3: I wasn't able to open the hosts file 0xb957:$b3: I wasn't able to open the hosts file 0xca9b:$b4: #BOT#VisitUrl 0x2186:$b5: #KCMDDC 0xaf65:$b5: #KCMDDC
Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7948	JoeSecurity_DarkCometRat	Yara detected DarkComet	Kevin Breen <kevin@techanarchy.net>
Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7948	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7948	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7948	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x250d8:$a: NanoCore 0x250e8:$a: NanoCore 0x251a7:$a: NanoCore 0x251b6:$a: NanoCore 0x253b7:$a: NanoCore 0x253cb:$a: NanoCore 0x2540b:$a: NanoCore 0x30629:$a: NanoCore 0x3063b:$a: NanoCore 0x30677:$a: NanoCore 0x25137:$b: ClientPlugin 0x25200:$b: ClientPlugin 0x253d4:$b: ClientPlugin 0x25414:$b: ClientPlugin 0x30644:$b: ClientPlugin 0x30680:$b: ClientPlugin 0x252f9:$c: ProjectData 0x30576:$c: ProjectData 0x25ccd:$d: DESCrypto 0x30ed4:$d: DESCrypto 0xdda4:$e: KeepAlive
Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7948	DarkComet_1	DarkComet RAT	botherder https://github.com/botherder	0xcaaa:$bot1: #BOT#OpenUrl 0xcae8:$bot2: #BOT#Ping 0xcaf3:$bot2: #BOT#Ping 0xcb52:$bot3: #BOT#RunPrompt 0xcc3b:$bot4: #BOT#SvrUninstall 0xce2b:$bot5: #BOT#URLDownload 0xccc0:$bot6: #BOT#URLUpdate 0xca9b:$bot7: #BOT#VisitUrl 0xcbb9:$bot8: #BOT#CloseServer 0xce80:$ddos1: DDOSHTTPFLOOD 0xce8f:$ddos2: DDOSSYNFLOOD 0xce9c:$ddos3: DDOSUDPFLOOD 0xc683:$keylogger1: ActiveOnlineKeylogger 0xc69b:$keylogger1: ActiveOnlineKeylogger 0xc699:$keylogger2: UnActiveOnlineKeylogger 0xc6d1:$keylogger3: ActiveOfflineKeylogger 0xc6ea:$keylogger3: ActiveOfflineKeylogger 0xc6e8:$keylogger4: UnActiveOfflineKeylogger 0xd02e:$shell1: ACTIVEREMOTESHELL 0xd047:$shell2: SUBMREMOTESHELL 0xd057:$shell3: KILLREMOTESHELL
Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7948	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0x1a3a8:$a: #BEGIN DARKCOMET DATA -- 0x43200:$a: #BEGIN DARKCOMET DATA -- 0x1a54e:$b: #EOF DARKCOMET DATA -- 0x1a580:$b: #EOF DARKCOMET DATA -- 0x430d7:$b: #EOF DARKCOMET DATA -- 0x430ee:$b: #EOF DARKCOMET DATA -- 0x1a3c9:$c: DC_MUTEX- 0x1f862:$c: DC_MUTEX- 0x1f873:$c: DC_MUTEX- 0x431d4:$c: DC_MUTEX- 0x431ed:$c: DC_MUTEX- 0x2186:$k2: #KCMDDC51#-890
Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7948	DarkComet_3	unknown	Kevin Breen <kevin@techanarchy.net>	0xccc0:$a1: #BOT#URLUpdate 0xcb77:$a2: Command successfully executed! 0xcb99:$a2: Command successfully executed! 0x356b:$b1: FastMM Borland Edition 0x3584:$b1: FastMM Borland Edition 0x5b18:$b2: %s, ClassID: %s 0x5b28:$b2: %s, ClassID: %s 0xb8ff:$b3: I wasn't able to open the hosts file 0xb957:$b3: I wasn't able to open the hosts file 0xca9b:$b4: #BOT#VisitUrl 0x2186:$b5: #KCMDDC 0xaf65:$b5: #KCMDDC
Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7948	DarkComet_4	unknown	unknown	0xca9b:$a1: #BOT# 0xcaaa:$a1: #BOT# 0xcae8:$a1: #BOT# 0xcaf3:$a1: #BOT# 0xcb52:$a1: #BOT# 0xcbb9:$a1: #BOT# 0xcc3b:$a1: #BOT# 0xccc0:$a1: #BOT# 0xce2b:$a1: #BOT# 0xd08e:$a2: WEBCAMSTOP 0xc718:$a3: UnActiveOnlineKeyStrokes 0xca32:$a4: #SendTaskMgr 0xca47:$a4: #SendTaskMgr 0xcecc:$a5: #RemoteScreenSize 0xc28c:$a6: ping 127.0.0.1 -n 4 > NUL &&
Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7948	Windows_Trojan_Darkcomet_1df27bcc	unknown	unknown	0xd748:$a1: BTRESULTHTTP Flood\|Http Flood task finished!\| 0xcada:$a2: is now open!\| 0xc683:$a3: ActiveOnlineKeylogger 0xcb52:$a4: #BOT#RunPrompt 0xc221:$a5: GETMONITORS
Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7948	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2540b:$a1: NanoCore.ClientPluginHost 0x253cb:$a2: NanoCore.ClientPlugin 0x272e2:$b1: get_BuilderSettings 0x2518c:$b2: ClientLoaderForm.resources 0x26a02:$b3: PluginCommand 0x253fc:$b4: IClientAppHost 0x2f835:$b5: GetBlockHash 0x2793a:$b6: AddHostEntry 0x32a59:$b6: AddHostEntry 0x2b62d:$b7: LogClientException 0x3659a:$b7: LogClientException 0x278a7:$b8: PipeExists 0x329cd:$b8: PipeExists 0x25435:$b9: IClientLoggingHost
Process Memory Space: JUNE STUB.EXE PID: 8176	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xa854:$x1: NanoCore.ClientPluginHost 0x2166c:$x1: NanoCore.ClientPluginHost 0x378b0:$x1: NanoCore.ClientPluginHost 0x72309:$x1: NanoCore.ClientPluginHost 0x9f5fe:$x1: NanoCore.ClientPluginHost 0xa3cc3:$x1: NanoCore.ClientPluginHost 0xad0e9:$x1: NanoCore.ClientPluginHost 0xb95c2:$x1: NanoCore.ClientPluginHost 0xd8c47:$x1: NanoCore.ClientPluginHost 0xf00e2:$x1: NanoCore.ClientPluginHost 0xf504f:$x1: NanoCore.ClientPluginHost 0x106e5f:$x1: NanoCore.ClientPluginHost 0x117706:$x1: NanoCore.ClientPluginHost 0x11d4f5:$x1: NanoCore.ClientPluginHost 0x159584:$x1: NanoCore.ClientPluginHost 0x170ccd:$x1: NanoCore.ClientPluginHost 0x1855d2:$x1: NanoCore.ClientPluginHost 0x1a69fc:$x1: NanoCore.ClientPluginHost 0x1c8f1a:$x1: NanoCore.ClientPluginHost 0xa88d:$x2: IClientNetworkHost 0x21686:$x2: IClientNetworkHost
Process Memory Space: JUNE STUB.EXE PID: 8176	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: JUNE STUB.EXE PID: 8176	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xa854:$a: NanoCore 0xa8d0:$a: NanoCore 0xbeb0:$a: NanoCore 0xbf24:$a: NanoCore 0xd7f5:$a: NanoCore 0x2162b:$a: NanoCore 0x21643:$a: NanoCore 0x2166c:$a: NanoCore 0x26464:$a: NanoCore 0x2647a:$a: NanoCore 0x264a1:$a: NanoCore 0x36b00:$a: NanoCore 0x3788b:$a: NanoCore 0x378b0:$a: NanoCore 0x37909:$a: NanoCore 0x3b39d:$a: NanoCore 0x3b3c0:$a: NanoCore 0x3b415:$a: NanoCore 0x464b7:$a: NanoCore 0x464db:$a: NanoCore 0x46533:$a: NanoCore
Process Memory Space: JUNE STUB.EXE PID: 8176	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xa854:$a1: NanoCore.ClientPluginHost 0x2166c:$a1: NanoCore.ClientPluginHost 0x378b0:$a1: NanoCore.ClientPluginHost 0x72309:$a1: NanoCore.ClientPluginHost 0x9f5fe:$a1: NanoCore.ClientPluginHost 0xa3cc3:$a1: NanoCore.ClientPluginHost 0xad0e9:$a1: NanoCore.ClientPluginHost 0xb95c2:$a1: NanoCore.ClientPluginHost 0xd8c47:$a1: NanoCore.ClientPluginHost 0xf00e2:$a1: NanoCore.ClientPluginHost 0xf504f:$a1: NanoCore.ClientPluginHost 0x106e5f:$a1: NanoCore.ClientPluginHost 0x117706:$a1: NanoCore.ClientPluginHost 0x11d4f5:$a1: NanoCore.ClientPluginHost 0x159584:$a1: NanoCore.ClientPluginHost 0x170ccd:$a1: NanoCore.ClientPluginHost 0x1855d2:$a1: NanoCore.ClientPluginHost 0x1a69fc:$a1: NanoCore.ClientPluginHost 0x1c8f1a:$a1: NanoCore.ClientPluginHost 0xa8d0:$a2: NanoCore.ClientPlugin 0x21643:$a2: NanoCore.ClientPlugin
Process Memory Space: msdcsc.exe PID: 5860	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x6bc06:$x1: NanoCore.ClientPluginHost 0x6bc43:$x2: IClientNetworkHost 0x6f6fa:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7a6f4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: msdcsc.exe PID: 5860	RAT_DarkComet	Detects DarkComet RAT	Kevin Breen <kevin@techanarchy.net>	0x61140:$a1: #BOT#URLUpdate 0x60ff7:$a2: Command successfully executed! 0x61019:$a2: Command successfully executed! 0x57a34:$b1: FastMM Borland Edition 0x57a4d:$b1: FastMM Borland Edition 0x59fd8:$b2: %s, ClassID: %s 0x59fe8:$b2: %s, ClassID: %s 0x5fd7f:$b3: I wasn't able to open the hosts file 0x5fdd7:$b3: I wasn't able to open the hosts file 0x60f1b:$b4: #BOT#VisitUrl 0x5f3e5:$b5: #KCMDDC
Process Memory Space: msdcsc.exe PID: 5860	JoeSecurity_DarkCometRat	Yara detected DarkComet	Kevin Breen <kevin@techanarchy.net>
Process Memory Space: msdcsc.exe PID: 5860	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: msdcsc.exe PID: 5860	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: msdcsc.exe PID: 5860	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6b8fe:$a: NanoCore 0x6b90e:$a: NanoCore 0x6b9a2:$a: NanoCore 0x6b9b1:$a: NanoCore 0x6bbb2:$a: NanoCore 0x6bbc6:$a: NanoCore 0x6bc06:$a: NanoCore 0x76d5e:$a: NanoCore 0x76d70:$a: NanoCore 0x76dac:$a: NanoCore 0x6b956:$b: ClientPlugin 0x6b9fb:$b: ClientPlugin 0x6bbcf:$b: ClientPlugin 0x6bc0f:$b: ClientPlugin 0x76d79:$b: ClientPlugin 0x76db5:$b: ClientPlugin 0x6baf4:$c: ProjectData 0x76cab:$c: ProjectData 0x6c4ab:$d: DESCrypto 0x77609:$d: DESCrypto 0x570ce:$e: KeepAlive
Process Memory Space: msdcsc.exe PID: 5860	DarkComet_1	DarkComet RAT	botherder https://github.com/botherder	0x60f2a:$bot1: #BOT#OpenUrl 0x60f68:$bot2: #BOT#Ping 0x60f73:$bot2: #BOT#Ping 0x60fd2:$bot3: #BOT#RunPrompt 0x610bb:$bot4: #BOT#SvrUninstall 0x612ab:$bot5: #BOT#URLDownload 0x61140:$bot6: #BOT#URLUpdate 0x60f1b:$bot7: #BOT#VisitUrl 0x61039:$bot8: #BOT#CloseServer 0x61300:$ddos1: DDOSHTTPFLOOD 0x6130f:$ddos2: DDOSSYNFLOOD 0x6131c:$ddos3: DDOSUDPFLOOD 0x60b03:$keylogger1: ActiveOnlineKeylogger 0x60b1b:$keylogger1: ActiveOnlineKeylogger 0x60b19:$keylogger2: UnActiveOnlineKeylogger 0x60b51:$keylogger3: ActiveOfflineKeylogger 0x60b6a:$keylogger3: ActiveOfflineKeylogger 0x60b68:$keylogger4: UnActiveOfflineKeylogger 0x614ae:$shell1: ACTIVEREMOTESHELL 0x614c7:$shell2: SUBMREMOTESHELL 0x614d7:$shell3: KILLREMOTESHELL
Process Memory Space: msdcsc.exe PID: 5860	DarkComet_3	unknown	Kevin Breen <kevin@techanarchy.net>	0x61140:$a1: #BOT#URLUpdate 0x60ff7:$a2: Command successfully executed! 0x61019:$a2: Command successfully executed! 0x57a34:$b1: FastMM Borland Edition 0x57a4d:$b1: FastMM Borland Edition 0x59fd8:$b2: %s, ClassID: %s 0x59fe8:$b2: %s, ClassID: %s 0x5fd7f:$b3: I wasn't able to open the hosts file 0x5fdd7:$b3: I wasn't able to open the hosts file 0x60f1b:$b4: #BOT#VisitUrl 0x5f3e5:$b5: #KCMDDC
Process Memory Space: msdcsc.exe PID: 5860	DarkComet_4	unknown	unknown	0x60f1b:$a1: #BOT# 0x60f2a:$a1: #BOT# 0x60f68:$a1: #BOT# 0x60f73:$a1: #BOT# 0x60fd2:$a1: #BOT# 0x61039:$a1: #BOT# 0x610bb:$a1: #BOT# 0x61140:$a1: #BOT# 0x612ab:$a1: #BOT# 0x6150e:$a2: WEBCAMSTOP 0x60b98:$a3: UnActiveOnlineKeyStrokes 0x60eb2:$a4: #SendTaskMgr 0x60ec7:$a4: #SendTaskMgr 0x6134c:$a5: #RemoteScreenSize 0x6070c:$a6: ping 127.0.0.1 -n 4 > NUL &&
Process Memory Space: msdcsc.exe PID: 5860	Windows_Trojan_Darkcomet_1df27bcc	unknown	unknown	0x61bc8:$a1: BTRESULTHTTP Flood\|Http Flood task finished!\| 0x60f5a:$a2: is now open!\| 0x60b03:$a3: ActiveOnlineKeylogger 0x60fd2:$a4: #BOT#RunPrompt 0x606a1:$a5: GETMONITORS
Process Memory Space: msdcsc.exe PID: 5860	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6bc06:$a1: NanoCore.ClientPluginHost 0x6bbc6:$a2: NanoCore.ClientPlugin 0x6daa3:$b1: get_BuilderSettings 0x6b987:$b2: ClientLoaderForm.resources 0x6d1c3:$b3: PluginCommand 0x6bbf7:$b4: IClientAppHost 0x75fe2:$b5: GetBlockHash 0x6e0fb:$b6: AddHostEntry 0x7918e:$b6: AddHostEntry 0x71dee:$b7: LogClientException 0x7cccf:$b7: LogClientException 0x6e068:$b8: PipeExists 0x79102:$b8: PipeExists 0x6bc30:$b9: IClientLoggingHost
Process Memory Space: msdcsc.exe PID: 7264	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x42e95:$x1: NanoCore.ClientPluginHost 0x42ed2:$x2: IClientNetworkHost 0x469c3:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x51a49:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: msdcsc.exe PID: 7264	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: msdcsc.exe PID: 7264	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: msdcsc.exe PID: 7264	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x42b62:$a: NanoCore 0x42b72:$a: NanoCore 0x42c31:$a: NanoCore 0x42c40:$a: NanoCore 0x42e41:$a: NanoCore 0x42e55:$a: NanoCore 0x42e95:$a: NanoCore 0x4e0b3:$a: NanoCore 0x4e0c5:$a: NanoCore 0x4e101:$a: NanoCore 0x42bc1:$b: ClientPlugin 0x42c8a:$b: ClientPlugin 0x42e5e:$b: ClientPlugin 0x42e9e:$b: ClientPlugin 0x4e0ce:$b: ClientPlugin 0x4e10a:$b: ClientPlugin 0x42d83:$c: ProjectData 0x4e000:$c: ProjectData 0x43757:$d: DESCrypto 0x4e95e:$d: DESCrypto 0x1743c:$e: KeepAlive
Process Memory Space: msdcsc.exe PID: 7264	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x42e95:$a1: NanoCore.ClientPluginHost 0x42e55:$a2: NanoCore.ClientPlugin 0x44d6c:$b1: get_BuilderSettings 0x42c16:$b2: ClientLoaderForm.resources 0x4448c:$b3: PluginCommand 0x42e86:$b4: IClientAppHost 0x4d2bf:$b5: GetBlockHash 0x453c4:$b6: AddHostEntry 0x504e3:$b6: AddHostEntry 0x490b7:$b7: LogClientException 0x54024:$b7: LogClientException 0x45331:$b8: PipeExists 0x50457:$b8: PipeExists 0x42ebf:$b9: IClientLoggingHost
Process Memory Space: msdcsc.exe PID: 6288	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0x6ad:$a: #BEGIN DARKCOMET DATA -- 0x18b:$b: #EOF DARKCOMET DATA -- 0x1a2:$b: #EOF DARKCOMET DATA -- 0x853:$b: #EOF DARKCOMET DATA -- 0x885:$b: #EOF DARKCOMET DATA -- 0x1fa:$c: DC_MUTEX- 0x213:$c: DC_MUTEX- 0x6ce:$c: DC_MUTEX- 0x2886:$c: DC_MUTEX- 0x2897:$c: DC_MUTEX- 0x2941:$k2: #KCMDDC51#-890 0x2950:$k2: #KCMDDC51#-890
Process Memory Space: dhcpmon.exe PID: 6384	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 6384	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfd9:$a: NanoCore 0x1260:$a: NanoCore 0x1275:$a: NanoCore 0x4e8c:$a: NanoCore 0x4ee5:$a: NanoCore 0x4f22:$a: NanoCore 0x4f9b:$a: NanoCore 0x5854:$a: NanoCore 0x58a7:$a: NanoCore 0x58e0:$a: NanoCore 0x5953:$a: NanoCore 0xcf25:$a: NanoCore 0xcf38:$a: NanoCore 0xcf6a:$a: NanoCore 0x1273b:$a: NanoCore 0x1274e:$a: NanoCore 0x12780:$a: NanoCore 0x1e72d:$a: NanoCore 0x1e79b:$a: NanoCore 0x1e80e:$a: NanoCore 0x27d4c:$a: NanoCore
Process Memory Space: dhcpmon.exe PID: 6384	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4f22:$a1: NanoCore.ClientPluginHost 0x27de2:$a1: NanoCore.ClientPluginHost 0x4ee5:$a2: NanoCore.ClientPlugin 0x27da5:$a2: NanoCore.ClientPlugin 0x529c:$b1: get_BuilderSettings 0x21062:$b1: get_BuilderSettings 0x4f70:$b4: IClientAppHost 0x27e30:$b4: IClientAppHost 0x530d:$b6: AddHostEntry 0x2813b:$b6: AddHostEntry 0x537c:$b7: LogClientException 0x20fd1:$b7: LogClientException 0x52f1:$b8: PipeExists 0x2811f:$b8: PipeExists 0x4f5d:$b9: IClientLoggingHost 0x27e1d:$b9: IClientLoggingHost
Process Memory Space: JUNE STUB.EXE PID: 8152	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: JUNE STUB.EXE PID: 8152	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1100:$a: NanoCore 0x116e:$a: NanoCore 0x11e1:$a: NanoCore 0xa726:$a: NanoCore 0xa77f:$a: NanoCore 0xa7bc:$a: NanoCore 0xa835:$a: NanoCore 0xafc1:$a: NanoCore 0xb014:$a: NanoCore 0xb04d:$a: NanoCore 0xb0c0:$a: NanoCore 0xbcf6:$a: NanoCore 0xbd51:$a: NanoCore 0xc53e:$a: NanoCore 0xca71:$a: NanoCore 0xca85:$a: NanoCore 0x55d8:$b: ClientPlugin 0x5619:$b: ClientPlugin 0xa788:$b: ClientPlugin 0xa7c5:$b: ClientPlugin 0xaf71:$b: ClientPlugin
Process Memory Space: JUNE STUB.EXE PID: 8152	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xa7bc:$a1: NanoCore.ClientPluginHost 0xa77f:$a2: NanoCore.ClientPlugin 0x3a49:$b1: get_BuilderSettings 0xa80a:$b4: IClientAppHost 0xab15:$b6: AddHostEntry 0x39b8:$b7: LogClientException 0xaaf9:$b8: PipeExists 0xa7f7:$b9: IClientLoggingHost
Process Memory Space: notepad.exe PID: 1340	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0x14c:$c: DC_MUTEX- 0x515d:$c: DC_MUTEX- 0x516f:$c: DC_MUTEX- 0x5181:$c: DC_MUTEX- 0x5193:$c: DC_MUTEX- 0x51b7:$c: DC_MUTEX- 0x51c9:$c: DC_MUTEX- 0x51db:$c: DC_MUTEX- 0x51ed:$c: DC_MUTEX- 0x51ff:$c: DC_MUTEX- 0x5211:$c: DC_MUTEX- 0x5223:$c: DC_MUTEX-
Process Memory Space: msdcsc.exe PID: 5840	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0xcf5:$a: #BEGIN DARKCOMET DATA -- 0xd0e:$a: #BEGIN DARKCOMET DATA -- 0xdd4:$a: #BEGIN DARKCOMET DATA -- 0x3d4b:$a: #BEGIN DARKCOMET DATA -- 0xcc6:$b: #EOF DARKCOMET DATA -- 0xcdd:$b: #EOF DARKCOMET DATA -- 0x3ef1:$b: #EOF DARKCOMET DATA -- 0x3f23:$b: #EOF DARKCOMET DATA -- 0xda8:$c: DC_MUTEX- 0xdc1:$c: DC_MUTEX- 0x102d:$c: DC_MUTEX- 0x2300:$c: DC_MUTEX- 0x3d6c:$c: DC_MUTEX- 0x6b14:$c: DC_MUTEX- 0x2816:$k2: #KCMDDC51#-890
Process Memory Space: msdcsc.exe PID: 5236	DarkComet_2	DarkComet	Jean-Philippe Teissier / @Jipe_	0x5cd0:$a: #BEGIN DARKCOMET DATA -- 0x893a:$a: #BEGIN DARKCOMET DATA -- 0x8953:$a: #BEGIN DARKCOMET DATA -- 0x896d:$a: #BEGIN DARKCOMET DATA -- 0x5e76:$b: #EOF DARKCOMET DATA -- 0x5ea8:$b: #EOF DARKCOMET DATA -- 0x8a50:$b: #EOF DARKCOMET DATA -- 0x8a67:$b: #EOF DARKCOMET DATA -- 0xe9d:$c: DC_MUTEX- 0xeae:$c: DC_MUTEX- 0x3bcd:$c: DC_MUTEX- 0x5cf1:$c: DC_MUTEX- 0x683e:$c: DC_MUTEX- 0x89ea:$c: DC_MUTEX- 0x8a03:$c: DC_MUTEX- 0x3e26:$k2: #KCMDDC51#-890
Click to see the 199 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
19.2.JUNE STUB.EXE.6c40000.16.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
19.2.JUNE STUB.EXE.6c40000.16.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
19.2.JUNE STUB.EXE.6c40000.16.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0x1775:$i3: IClientNetwork 0x16fd:$i6: IClientLoggingHost 0x171c:$i7: IClientNetworkHost 0x1491:$s1: ClientPlugin 0x1768:$s1: ClientPlugin
19.2.JUNE STUB.EXE.6c40000.16.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x16e3:$a1: NanoCore.ClientPluginHost 0x175f:$a2: NanoCore.ClientPlugin 0x16fd:$b9: IClientLoggingHost
19.2.JUNE STUB.EXE.6ce0000.23.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
19.2.JUNE STUB.EXE.6ce0000.23.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
19.2.JUNE STUB.EXE.6ce0000.23.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x34e2:$x2: NanoCore.ClientPlugin 0x350b:$x3: NanoCore.ClientPluginHost 0x34d3:$i3: IClientNetwork 0x34f8:$i6: IClientLoggingHost 0x3525:$i7: IClientNetworkHost 0x334e:$s1: ClientPlugin 0x34eb:$s1: ClientPlugin
19.2.JUNE STUB.EXE.6ce0000.23.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x350b:$a1: NanoCore.ClientPluginHost 0x34e2:$a2: NanoCore.ClientPlugin 0x5854:$b7: LogClientException 0x34f8:$b9: IClientLoggingHost
19.2.JUNE STUB.EXE.6ca0000.20.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
19.2.JUNE STUB.EXE.6ca0000.20.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
19.2.JUNE STUB.EXE.6ca0000.20.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5ad5:$x2: NanoCore.ClientPlugin 0x59eb:$x3: NanoCore.ClientPluginHost 0x5aeb:$i3: IClientNetwork 0x5a24:$i5: IClientDataHost 0x5a05:$i6: IClientLoggingHost 0x5b48:$i7: IClientNetworkHost 0x5a43:$i8: IClientUIHost 0x6955:$i9: IClientNameObjectCollection 0x54fc:$s1: ClientPlugin 0x5ade:$s1: ClientPlugin 0x6971:$s6: get_ClientSettings
19.2.JUNE STUB.EXE.6ca0000.20.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x59eb:$a1: NanoCore.ClientPluginHost 0x5ad5:$a2: NanoCore.ClientPlugin 0x732e:$b7: LogClientException 0x6941:$b8: PipeExists 0x5a05:$b9: IClientLoggingHost
19.2.JUNE STUB.EXE.5a80000.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
19.2.JUNE STUB.EXE.5a80000.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
19.2.JUNE STUB.EXE.5a80000.10.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
19.2.JUNE STUB.EXE.5a80000.10.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
19.2.JUNE STUB.EXE.6c80000.18.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x605:$x1: NanoCore.ClientPluginHost 0x63e:$x2: IClientNetworkHost
19.2.JUNE STUB.EXE.6c80000.18.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x605:$x2: NanoCore.ClientPluginHost 0x720:$s4: PipeCreated 0x61f:$s5: IClientLoggingHost
19.2.JUNE STUB.EXE.6c80000.18.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x67f:$x2: NanoCore.ClientPlugin 0x605:$x3: NanoCore.ClientPluginHost 0x695:$i3: IClientNetwork 0x61f:$i6: IClientLoggingHost 0x63e:$i7: IClientNetworkHost 0x688:$s1: ClientPlugin
19.2.JUNE STUB.EXE.6c80000.18.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x605:$a1: NanoCore.ClientPluginHost 0x67f:$a2: NanoCore.ClientPlugin 0xda0:$b7: LogClientException 0x61f:$b9: IClientLoggingHost
22.2.msdcsc.exe.504a4f4.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
22.2.msdcsc.exe.504a4f4.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
22.2.msdcsc.exe.504a4f4.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
22.2.msdcsc.exe.504a4f4.5.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
22.2.msdcsc.exe.504a4f4.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x3dac2:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q
22.2.msdcsc.exe.504a4f4.5.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
19.2.JUNE STUB.EXE.6c60000.17.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x3f0b:$x1: NanoCore.ClientPluginHost 0x3f44:$x2: IClientNetworkHost
19.2.JUNE STUB.EXE.6c60000.17.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x3f0b:$x2: NanoCore.ClientPluginHost 0x400f:$s4: PipeCreated 0x3f25:$s5: IClientLoggingHost
19.2.JUNE STUB.EXE.6c60000.17.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3f87:$x2: NanoCore.ClientPlugin 0x3f0b:$x3: NanoCore.ClientPluginHost 0x3f9d:$i3: IClientNetwork 0x3f25:$i6: IClientLoggingHost 0x3f44:$i7: IClientNetworkHost 0x3bfb:$s1: ClientPlugin 0x3f90:$s1: ClientPlugin 0x50f4:$s3: IPAddress
19.2.JUNE STUB.EXE.6c60000.17.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3f0b:$a1: NanoCore.ClientPluginHost 0x3f87:$a2: NanoCore.ClientPlugin 0x4b10:$b7: LogClientException 0x3f25:$b9: IClientLoggingHost
19.2.JUNE STUB.EXE.6c80000.18.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
19.2.JUNE STUB.EXE.6c80000.18.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
19.2.JUNE STUB.EXE.6c80000.18.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x227f:$x2: NanoCore.ClientPlugin 0x2205:$x3: NanoCore.ClientPluginHost 0x2295:$i3: IClientNetwork 0x221f:$i6: IClientLoggingHost 0x223e:$i7: IClientNetworkHost 0x1f9f:$s1: ClientPlugin 0x2288:$s1: ClientPlugin
19.2.JUNE STUB.EXE.6c80000.18.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2205:$a1: NanoCore.ClientPluginHost 0x227f:$a2: NanoCore.ClientPlugin 0x29a0:$b7: LogClientException 0x221f:$b9: IClientLoggingHost
34.2.JUNE STUB.EXE.2ef3d9c.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
34.2.JUNE STUB.EXE.2ef3d9c.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
34.2.JUNE STUB.EXE.2ef3d9c.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
34.2.JUNE STUB.EXE.2ef3d9c.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
19.2.JUNE STUB.EXE.6cd0000.22.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
19.2.JUNE STUB.EXE.6cd0000.22.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
19.2.JUNE STUB.EXE.6cd0000.22.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b70:$x2: NanoCore.ClientPlugin 0x5b99:$x3: NanoCore.ClientPluginHost 0x5b61:$i3: IClientNetwork 0x5b86:$i6: IClientLoggingHost 0x5bb3:$i7: IClientNetworkHost 0x59d4:$s1: ClientPlugin 0x5b79:$s1: ClientPlugin 0x5e84:$s2: EndPoint 0x5e8d:$s3: IPAddress 0x5e97:$s4: IPEndPoint
19.2.JUNE STUB.EXE.6cd0000.22.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b99:$a1: NanoCore.ClientPluginHost 0x5b70:$a2: NanoCore.ClientPlugin 0x5b86:$b9: IClientLoggingHost
33.2.dhcpmon.exe.3a22a45.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x1: NanoCore.ClientPluginHost 0x23c50:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23c7d:$x2: IClientNetworkHost
33.2.dhcpmon.exe.3a22a45.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x2: NanoCore.ClientPluginHost 0x23c50:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x24d2b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x23c6a:$s5: IClientLoggingHost
33.2.dhcpmon.exe.3a22a45.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
33.2.dhcpmon.exe.3a22a45.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0x23c1b:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0x23c50:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0x23c0f:$i2: IClientData 0xb165:$i3: IClientNetwork 0x23c31:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0x23c40:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0x23c6a:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0x23c7d:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0x23c90:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0x23c9e:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0x23cba:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin
33.2.dhcpmon.exe.3a22a45.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0x23c50:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x23c1b:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x28b96:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0x28b05:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost 0x23c6a:$b9: IClientLoggingHost
19.2.JUNE STUB.EXE.3430124.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
19.2.JUNE STUB.EXE.3430124.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
19.2.JUNE STUB.EXE.3430124.3.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x6d7f:$x2: NanoCore.ClientPlugin 0x6da5:$x3: NanoCore.ClientPluginHost 0x6d70:$i3: IClientNetwork 0x6d95:$i5: IClientDataHost 0x6dbf:$i6: IClientLoggingHost 0x6dd2:$i7: IClientNetworkHost 0x6de5:$i9: IClientNameObjectCollection 0x6b02:$s1: ClientPlugin 0x6d88:$s1: ClientPlugin
19.2.JUNE STUB.EXE.3430124.3.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6da5:$a1: NanoCore.ClientPluginHost 0x6d7f:$a2: NanoCore.ClientPlugin 0x6dbf:$b9: IClientLoggingHost
33.2.dhcpmon.exe.3a1e41c.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
33.2.dhcpmon.exe.3a1e41c.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
33.2.dhcpmon.exe.3a1e41c.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
33.2.dhcpmon.exe.3a1e41c.1.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
33.2.dhcpmon.exe.3a1e41c.1.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
19.2.JUNE STUB.EXE.6c20000.15.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
19.2.JUNE STUB.EXE.6c20000.15.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
19.2.JUNE STUB.EXE.6c20000.15.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x6d7f:$x2: NanoCore.ClientPlugin 0x6da5:$x3: NanoCore.ClientPluginHost 0x6d70:$i3: IClientNetwork 0x6d95:$i5: IClientDataHost 0x6dbf:$i6: IClientLoggingHost 0x6dd2:$i7: IClientNetworkHost 0x6de5:$i9: IClientNameObjectCollection 0x6b02:$s1: ClientPlugin 0x6d88:$s1: ClientPlugin
19.2.JUNE STUB.EXE.6c20000.15.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x6da5:$a1: NanoCore.ClientPluginHost 0x6d7f:$a2: NanoCore.ClientPlugin 0x6dbf:$b9: IClientLoggingHost
0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
19.2.JUNE STUB.EXE.5d10000.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
19.2.JUNE STUB.EXE.5d10000.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
19.2.JUNE STUB.EXE.5d10000.12.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.JUNE STUB.EXE.5d10000.12.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xd978:$x2: NanoCore.ClientPlugin 0xd9ad:$x3: NanoCore.ClientPluginHost 0xd96c:$i2: IClientData 0xd98e:$i3: IClientNetwork 0xd99d:$i5: IClientDataHost 0xd9c7:$i6: IClientLoggingHost 0xd9da:$i7: IClientNetworkHost 0xd9ed:$i8: IClientUIHost 0xd9fb:$i9: IClientNameObjectCollection 0xda17:$i10: IClientReadOnlyNameObjectCollection 0xd76a:$s1: ClientPlugin 0xd981:$s1: ClientPlugin 0x129a2:$s6: get_ClientSettings
19.2.JUNE STUB.EXE.5d10000.12.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xd9ad:$a1: NanoCore.ClientPluginHost 0xd978:$a2: NanoCore.ClientPlugin 0x128f3:$b1: get_BuilderSettings 0x12862:$b7: LogClientException 0xd9c7:$b9: IClientLoggingHost
33.2.dhcpmon.exe.29f3dc4.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
33.2.dhcpmon.exe.29f3dc4.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
33.2.dhcpmon.exe.29f3dc4.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
33.2.dhcpmon.exe.29f3dc4.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
19.2.JUNE STUB.EXE.4588b4e.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x350b:$x1: NanoCore.ClientPluginHost 0x2840f:$x1: NanoCore.ClientPluginHost 0x3784f:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost 0x28429:$x2: IClientNetworkHost 0x3788c:$x2: IClientNetworkHost
19.2.JUNE STUB.EXE.4588b4e.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x350b:$x2: NanoCore.ClientPluginHost 0x2840f:$x2: NanoCore.ClientPluginHost 0x3784f:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x2b74c:$s4: PipeCreated 0x3aca2:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost 0x283fc:$s5: IClientLoggingHost 0x37879:$s5: IClientLoggingHost
19.2.JUNE STUB.EXE.4588b4e.9.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x34e2:$x2: NanoCore.ClientPlugin 0x283e6:$x2: NanoCore.ClientPlugin 0x3782a:$x2: NanoCore.ClientPlugin 0x350b:$x3: NanoCore.ClientPluginHost 0x2840f:$x3: NanoCore.ClientPluginHost 0x3784f:$x3: NanoCore.ClientPluginHost 0x34d3:$i3: IClientNetwork 0x283d7:$i3: IClientNetwork 0x3781b:$i3: IClientNetwork 0x37840:$i4: IClientAppHost 0x37869:$i5: IClientDataHost 0x34f8:$i6: IClientLoggingHost 0x283fc:$i6: IClientLoggingHost 0x37879:$i6: IClientLoggingHost 0x3525:$i7: IClientNetworkHost 0x28429:$i7: IClientNetworkHost 0x3788c:$i7: IClientNetworkHost 0x2843c:$i8: IClientUIHost 0x3789f:$i8: IClientUIHost 0x378ad:$i9: IClientNameObjectCollection 0x334e:$s1: ClientPlugin
19.2.JUNE STUB.EXE.4588b4e.9.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x350b:$a1: NanoCore.ClientPluginHost 0x2840f:$a1: NanoCore.ClientPluginHost 0x3784f:$a1: NanoCore.ClientPluginHost 0x34e2:$a2: NanoCore.ClientPlugin 0x283e6:$a2: NanoCore.ClientPlugin 0x3782a:$a2: NanoCore.ClientPlugin 0x37840:$b4: IClientAppHost 0x5854:$b7: LogClientException 0x2d43a:$b7: LogClientException 0x3bd2f:$b7: LogClientException 0x34f8:$b9: IClientLoggingHost 0x283fc:$b9: IClientLoggingHost 0x37879:$b9: IClientLoggingHost
19.2.JUNE STUB.EXE.4591d82.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
19.2.JUNE STUB.EXE.4591d82.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
19.2.JUNE STUB.EXE.4591d82.7.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1d3b2:$x2: NanoCore.ClientPlugin 0x1d3db:$x3: NanoCore.ClientPluginHost 0x1d3a3:$i3: IClientNetwork 0x1d3c8:$i6: IClientLoggingHost 0x1d3f5:$i7: IClientNetworkHost 0x1d408:$i8: IClientUIHost 0x1d112:$s1: ClientPlugin 0x1d3bb:$s1: ClientPlugin
19.2.JUNE STUB.EXE.4591d82.7.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1d3db:$a1: NanoCore.ClientPluginHost 0x1d3b2:$a2: NanoCore.ClientPlugin 0x22406:$b7: LogClientException 0x1d3c8:$b9: IClientLoggingHost
19.2.JUNE STUB.EXE.6d0e8a4.26.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
19.2.JUNE STUB.EXE.6d0e8a4.26.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x10937:$x2: NanoCore.ClientPluginHost 0x13c74:$s4: PipeCreated 0x10924:$s5: IClientLoggingHost
19.2.JUNE STUB.EXE.6d0e8a4.26.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1090e:$x2: NanoCore.ClientPlugin 0x10937:$x3: NanoCore.ClientPluginHost 0x108ff:$i3: IClientNetwork 0x10924:$i6: IClientLoggingHost 0x10951:$i7: IClientNetworkHost 0x10964:$i8: IClientUIHost 0x1066e:$s1: ClientPlugin 0x10917:$s1: ClientPlugin
19.2.JUNE STUB.EXE.6d0e8a4.26.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x10937:$a1: NanoCore.ClientPluginHost 0x1090e:$a2: NanoCore.ClientPlugin 0x15962:$b7: LogClientException 0x10924:$b9: IClientLoggingHost
19.2.JUNE STUB.EXE.4596a21.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1a53c:$x1: NanoCore.ClientPluginHost 0x2997c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost 0x299b9:$x2: IClientNetworkHost
19.2.JUNE STUB.EXE.4596a21.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x1a53c:$x2: NanoCore.ClientPluginHost 0x2997c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x2cdcf:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost 0x299a6:$s5: IClientLoggingHost
19.2.JUNE STUB.EXE.4596a21.4.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1a513:$x2: NanoCore.ClientPlugin 0x29957:$x2: NanoCore.ClientPlugin 0x1a53c:$x3: NanoCore.ClientPluginHost 0x2997c:$x3: NanoCore.ClientPluginHost 0x1a504:$i3: IClientNetwork 0x29948:$i3: IClientNetwork 0x2996d:$i4: IClientAppHost 0x29996:$i5: IClientDataHost 0x1a529:$i6: IClientLoggingHost 0x299a6:$i6: IClientLoggingHost 0x1a556:$i7: IClientNetworkHost 0x299b9:$i7: IClientNetworkHost 0x1a569:$i8: IClientUIHost 0x299cc:$i8: IClientUIHost 0x299da:$i9: IClientNameObjectCollection 0x1a273:$s1: ClientPlugin 0x1a51c:$s1: ClientPlugin 0x296fe:$s1: ClientPlugin 0x29960:$s1: ClientPlugin
19.2.JUNE STUB.EXE.4596a21.4.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1a53c:$a1: NanoCore.ClientPluginHost 0x2997c:$a1: NanoCore.ClientPluginHost 0x1a513:$a2: NanoCore.ClientPlugin 0x29957:$a2: NanoCore.ClientPlugin 0x2996d:$b4: IClientAppHost 0x1f567:$b7: LogClientException 0x2de5c:$b7: LogClientException 0x1a529:$b9: IClientLoggingHost 0x299a6:$b9: IClientLoggingHost
21.2.msdcsc.exe.4b4dcb4.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
21.2.msdcsc.exe.4b4dcb4.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
21.2.msdcsc.exe.4b4dcb4.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.2.msdcsc.exe.4b4dcb4.6.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
21.2.msdcsc.exe.4b4dcb4.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
21.2.msdcsc.exe.4b4dcb4.6.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
19.2.JUNE STUB.EXE.4591d82.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1f1db:$x1: NanoCore.ClientPluginHost 0x2e61b:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost 0x2e658:$x2: IClientNetworkHost
19.2.JUNE STUB.EXE.4591d82.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x1f1db:$x2: NanoCore.ClientPluginHost 0x2e61b:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x31a6e:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost 0x2e645:$s5: IClientLoggingHost
19.2.JUNE STUB.EXE.4591d82.7.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1f1b2:$x2: NanoCore.ClientPlugin 0x2e5f6:$x2: NanoCore.ClientPlugin 0x1f1db:$x3: NanoCore.ClientPluginHost 0x2e61b:$x3: NanoCore.ClientPluginHost 0x1f1a3:$i3: IClientNetwork 0x2e5e7:$i3: IClientNetwork 0x2e60c:$i4: IClientAppHost 0x2e635:$i5: IClientDataHost 0x1f1c8:$i6: IClientLoggingHost 0x2e645:$i6: IClientLoggingHost 0x1f1f5:$i7: IClientNetworkHost 0x2e658:$i7: IClientNetworkHost 0x1f208:$i8: IClientUIHost 0x2e66b:$i8: IClientUIHost 0x2e679:$i9: IClientNameObjectCollection 0x1ef12:$s1: ClientPlugin 0x1f1bb:$s1: ClientPlugin 0x2e39d:$s1: ClientPlugin 0x2e5ff:$s1: ClientPlugin
19.2.JUNE STUB.EXE.4591d82.7.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1f1db:$a1: NanoCore.ClientPluginHost 0x2e61b:$a1: NanoCore.ClientPluginHost 0x1f1b2:$a2: NanoCore.ClientPlugin 0x2e5f6:$a2: NanoCore.ClientPlugin 0x2e60c:$b4: IClientAppHost 0x24206:$b7: LogClientException 0x32afb:$b7: LogClientException 0x1f1c8:$b9: IClientLoggingHost 0x2e645:$b9: IClientLoggingHost
19.2.JUNE STUB.EXE.6c90000.19.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x13a8:$x1: NanoCore.ClientPluginHost
19.2.JUNE STUB.EXE.6c90000.19.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
19.2.JUNE STUB.EXE.6c90000.19.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x13f2:$x2: NanoCore.ClientPlugin 0x13a8:$x3: NanoCore.ClientPluginHost 0x1408:$i3: IClientNetwork 0x13c2:$i6: IClientLoggingHost 0x1185:$s1: ClientPlugin 0x13fb:$s1: ClientPlugin
19.2.JUNE STUB.EXE.6c90000.19.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x13a8:$a1: NanoCore.ClientPluginHost 0x13f2:$a2: NanoCore.ClientPlugin 0x13c2:$b9: IClientLoggingHost
19.2.JUNE STUB.EXE.6ce0000.23.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
19.2.JUNE STUB.EXE.6ce0000.23.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
19.2.JUNE STUB.EXE.6ce0000.23.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x16e2:$x2: NanoCore.ClientPlugin 0x170b:$x3: NanoCore.ClientPluginHost 0x16d3:$i3: IClientNetwork 0x16f8:$i6: IClientLoggingHost 0x1725:$i7: IClientNetworkHost 0x154e:$s1: ClientPlugin 0x16eb:$s1: ClientPlugin
19.2.JUNE STUB.EXE.6ce0000.23.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x170b:$a1: NanoCore.ClientPluginHost 0x16e2:$a2: NanoCore.ClientPlugin 0x3a54:$b7: LogClientException 0x16f8:$b9: IClientLoggingHost
0.2.A1DB2JVWGG.CNT.exe.4b1b0d4.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.A1DB2JVWGG.CNT.exe.4b1b0d4.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.2.A1DB2JVWGG.CNT.exe.4b1b0d4.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.A1DB2JVWGG.CNT.exe.4b1b0d4.5.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
0.2.A1DB2JVWGG.CNT.exe.4b1b0d4.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x3dac2:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q
0.2.A1DB2JVWGG.CNT.exe.4b1b0d4.5.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
0.2.A1DB2JVWGG.CNT.exe.4b1b0d4.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.A1DB2JVWGG.CNT.exe.4b1b0d4.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.A1DB2JVWGG.CNT.exe.4b1b0d4.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.A1DB2JVWGG.CNT.exe.4b1b0d4.5.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.A1DB2JVWGG.CNT.exe.4b1b0d4.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.A1DB2JVWGG.CNT.exe.4b1b0d4.5.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
19.2.JUNE STUB.EXE.6cb0000.21.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
19.2.JUNE STUB.EXE.6cb0000.21.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
19.2.JUNE STUB.EXE.6cb0000.21.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3a8b:$x2: NanoCore.ClientPlugin 0x39eb:$x3: NanoCore.ClientPluginHost 0x3aa1:$i3: IClientNetwork 0x3a43:$i5: IClientDataHost 0x3a05:$i6: IClientLoggingHost 0x3a24:$i7: IClientNetworkHost 0x426c:$i9: IClientNameObjectCollection 0x3741:$s1: ClientPlugin 0x3a94:$s1: ClientPlugin 0x4680:$s2: EndPoint 0x4371:$s3: IPAddress 0x3c83:$s4: IPEndPoint 0x43a3:$s7: get_Connected
19.2.JUNE STUB.EXE.6cb0000.21.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x39eb:$a1: NanoCore.ClientPluginHost 0x3a8b:$a2: NanoCore.ClientPlugin 0x47e1:$b7: LogClientException 0x3a05:$b9: IClientLoggingHost
21.2.msdcsc.exe.4126b74.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
21.2.msdcsc.exe.4126b74.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
21.2.msdcsc.exe.4126b74.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.2.msdcsc.exe.4126b74.5.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
21.2.msdcsc.exe.4126b74.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
21.2.msdcsc.exe.4126b74.5.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
19.2.JUNE STUB.EXE.6c60000.17.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
19.2.JUNE STUB.EXE.6c60000.17.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
19.2.JUNE STUB.EXE.6c60000.17.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5b87:$x2: NanoCore.ClientPlugin 0x5b0b:$x3: NanoCore.ClientPluginHost 0x5b9d:$i3: IClientNetwork 0x5b25:$i6: IClientLoggingHost 0x5b44:$i7: IClientNetworkHost 0x57fb:$s1: ClientPlugin 0x5b90:$s1: ClientPlugin 0x6cf4:$s3: IPAddress
19.2.JUNE STUB.EXE.6c60000.17.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5b0b:$a1: NanoCore.ClientPluginHost 0x5b87:$a2: NanoCore.ClientPlugin 0x6710:$b7: LogClientException 0x5b25:$b9: IClientLoggingHost
19.2.JUNE STUB.EXE.3444758.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x16e3:$x1: NanoCore.ClientPluginHost 0xb53b:$x1: NanoCore.ClientPluginHost 0x13469:$x1: NanoCore.ClientPluginHost 0x19444:$x1: NanoCore.ClientPluginHost 0x20edf:$x1: NanoCore.ClientPluginHost 0x2bec9:$x1: NanoCore.ClientPluginHost 0x37c77:$x1: NanoCore.ClientPluginHost 0x439ca:$x1: NanoCore.ClientPluginHost 0x540ab:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost 0xb574:$x2: IClientNetworkHost 0x134a2:$x2: IClientNetworkHost 0x20f18:$x2: IClientNetworkHost 0x2bee3:$x2: IClientNetworkHost 0x37c91:$x2: IClientNetworkHost 0x43a07:$x2: IClientNetworkHost 0x54208:$x2: IClientNetworkHost
19.2.JUNE STUB.EXE.3444758.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x175f:$x2: NanoCore.ClientPlugin 0xb5b7:$x2: NanoCore.ClientPlugin 0x134e3:$x2: NanoCore.ClientPlugin 0x1948e:$x2: NanoCore.ClientPlugin 0x20f7f:$x2: NanoCore.ClientPlugin 0x2bea0:$x2: NanoCore.ClientPlugin 0x37c4e:$x2: NanoCore.ClientPlugin 0x439a5:$x2: NanoCore.ClientPlugin 0x54195:$x2: NanoCore.ClientPlugin 0x16e3:$x3: NanoCore.ClientPluginHost 0xb53b:$x3: NanoCore.ClientPluginHost 0x13469:$x3: NanoCore.ClientPluginHost 0x19444:$x3: NanoCore.ClientPluginHost 0x20edf:$x3: NanoCore.ClientPluginHost 0x2bec9:$x3: NanoCore.ClientPluginHost 0x37c77:$x3: NanoCore.ClientPluginHost 0x439ca:$x3: NanoCore.ClientPluginHost 0x540ab:$x3: NanoCore.ClientPluginHost 0x1775:$i3: IClientNetwork 0xb5cd:$i3: IClientNetwork 0x134f9:$i3: IClientNetwork
19.2.JUNE STUB.EXE.3444758.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0xb53b:$a: NanoCore 0xb5b7:$a: NanoCore 0xde9a:$a: NanoCore 0x13469:$a: NanoCore 0x134e3:$a: NanoCore 0x19444:$a: NanoCore 0x1948e:$a: NanoCore 0x1a0e8:$a: NanoCore 0x20bbf:$a: NanoCore 0x20c20:$a: NanoCore 0x20c63:$a: NanoCore
19.2.JUNE STUB.EXE.3444758.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x16e3:$a1: NanoCore.ClientPluginHost 0xb53b:$a1: NanoCore.ClientPluginHost 0x13469:$a1: NanoCore.ClientPluginHost 0x19444:$a1: NanoCore.ClientPluginHost 0x20edf:$a1: NanoCore.ClientPluginHost 0x2bec9:$a1: NanoCore.ClientPluginHost 0x37c77:$a1: NanoCore.ClientPluginHost 0x439ca:$a1: NanoCore.ClientPluginHost 0x540ab:$a1: NanoCore.ClientPluginHost 0x175f:$a2: NanoCore.ClientPlugin 0xb5b7:$a2: NanoCore.ClientPlugin 0x134e3:$a2: NanoCore.ClientPlugin 0x1948e:$a2: NanoCore.ClientPlugin 0x20f7f:$a2: NanoCore.ClientPlugin 0x2bea0:$a2: NanoCore.ClientPlugin 0x37c4e:$a2: NanoCore.ClientPlugin 0x439a5:$a2: NanoCore.ClientPlugin 0x54195:$a2: NanoCore.ClientPlugin 0x439bb:$b4: IClientAppHost 0xc140:$b7: LogClientException 0x13c04:$b7: LogClientException
19.2.JUNE STUB.EXE.6cb0000.21.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
19.2.JUNE STUB.EXE.6cb0000.21.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
19.2.JUNE STUB.EXE.6cb0000.21.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1e8b:$x2: NanoCore.ClientPlugin 0x1deb:$x3: NanoCore.ClientPluginHost 0x1ea1:$i3: IClientNetwork 0x1e43:$i5: IClientDataHost 0x1e05:$i6: IClientLoggingHost 0x1e24:$i7: IClientNetworkHost 0x266c:$i9: IClientNameObjectCollection 0x1b41:$s1: ClientPlugin 0x1e94:$s1: ClientPlugin 0x2a80:$s2: EndPoint 0x2771:$s3: IPAddress 0x2083:$s4: IPEndPoint 0x27a3:$s7: get_Connected
19.2.JUNE STUB.EXE.6cb0000.21.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1deb:$a1: NanoCore.ClientPluginHost 0x1e8b:$a2: NanoCore.ClientPlugin 0x2be1:$b7: LogClientException 0x1e05:$b9: IClientLoggingHost
19.2.JUNE STUB.EXE.6d00000.24.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
19.2.JUNE STUB.EXE.6d00000.24.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
19.2.JUNE STUB.EXE.6d00000.24.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1f1b2:$x2: NanoCore.ClientPlugin 0x1f1db:$x3: NanoCore.ClientPluginHost 0x1f1a3:$i3: IClientNetwork 0x1f1c8:$i6: IClientLoggingHost 0x1f1f5:$i7: IClientNetworkHost 0x1f208:$i8: IClientUIHost 0x1ef12:$s1: ClientPlugin 0x1f1bb:$s1: ClientPlugin
19.2.JUNE STUB.EXE.6d00000.24.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1f1db:$a1: NanoCore.ClientPluginHost 0x1f1b2:$a2: NanoCore.ClientPlugin 0x24206:$b7: LogClientException 0x1f1c8:$b9: IClientLoggingHost
19.2.JUNE STUB.EXE.6cd0000.22.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x3d99:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost
19.2.JUNE STUB.EXE.6cd0000.22.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x3d99:$x2: NanoCore.ClientPluginHost 0x4dce:$s4: PipeCreated 0x3d86:$s5: IClientLoggingHost
19.2.JUNE STUB.EXE.6cd0000.22.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3d70:$x2: NanoCore.ClientPlugin 0x3d99:$x3: NanoCore.ClientPluginHost 0x3d61:$i3: IClientNetwork 0x3d86:$i6: IClientLoggingHost 0x3db3:$i7: IClientNetworkHost 0x3bd4:$s1: ClientPlugin 0x3d79:$s1: ClientPlugin 0x4084:$s2: EndPoint 0x408d:$s3: IPAddress 0x4097:$s4: IPEndPoint
19.2.JUNE STUB.EXE.6cd0000.22.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3d99:$a1: NanoCore.ClientPluginHost 0x3d70:$a2: NanoCore.ClientPlugin 0x3d86:$b9: IClientLoggingHost
21.2.msdcsc.exe.4b4dcb4.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
21.2.msdcsc.exe.4b4dcb4.6.raw.unpack	Malware_QA_update	VT Research QA uploaded malware - file update.exe	Florian Roth (Nextron Systems)	0xbb2f8:$x1: UnActiveOfflineKeylogger 0xc2400:$x2: BTRESULTDownload File\|Mass Download : File Downloaded , Executing new one in temp dir...\| 0xbb25c:$x3: ActiveOnlineKeylogger 0xbbb08:$x6: BTRESULTUpdate from URL\|Update : File Downloaded , Executing new one in temp dir...\| 0x3e314:$s1: MSRSAAP.EXE 0xbb999:$s2: Command successfully executed!\| 0xa336c:$s3: BTMemoryLoadLibary: Get DLLEntyPoint failed 0xb03fc:$s4: I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer! 0xb10b8:$s5: \Internet Explorer\iexplore.exe 0xbaae4:$s6: ping 127.0.0.1 -n 4 > NUL && " 0xa3558:$s7: BTMemoryGetProcAddress: DLL doesn't export anything 0xc0e04:$s8: POST /index.php/1.0
21.2.msdcsc.exe.4b4dcb4.6.raw.unpack	RAT_DarkComet	Detects DarkComet RAT	Kevin Breen <kevin@techanarchy.net>	0xbba80:$a1: #BOT#URLUpdate 0xbb999:$a2: Command successfully executed! 0x3e9dc:$b1: FastMM Borland Edition 0x69520:$b2: %s, ClassID: %s 0xb03fc:$b3: I wasn't able to open the hosts file 0xbb884:$b4: #BOT#VisitUrl 0xaa794:$b5: #KCMDDC
21.2.msdcsc.exe.4b4dcb4.6.raw.unpack	JoeSecurity_DarkCometRat	Yara detected DarkComet	Kevin Breen <kevin@techanarchy.net>
21.2.msdcsc.exe.4b4dcb4.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.2.msdcsc.exe.4b4dcb4.6.raw.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
21.2.msdcsc.exe.4b4dcb4.6.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
21.2.msdcsc.exe.4b4dcb4.6.raw.unpack	MALWARE_Win_DarkComet	Detects DarkComet	ditekSHen	0x69520:$s1: %s, ClassID: %s 0x697ec:$s2: %s, ProgID: "%s" 0xaa794:$s3: #KCMDDC51# 0xbb884:$s4: #BOT#VisitUrl 0xbb89c:$s5: #BOT#OpenUrl 0xbb918:$s6: #BOT#Ping 0xbb960:$s7: #BOT#RunPrompt 0xbb9c4:$s8: #BOT#CloseServer 0xbba20:$s9: #BOT#SvrUninstall 0xbba80:$s10: #BOT#URLUpdate 0xbbb68:$s11: #BOT#URLDownload 0xbb8e4:$s12: BTRESULTOpen 0xbb92c:$s12: BTRESULTPing\|Respond 0xbb978:$s12: BTRESULTRun 0xbb9e0:$s12: BTRESULTClose 0xbba3c:$s12: BTRESULTUninstall\|uninstall 0xbbb08:$s12: BTRESULTUpdate 0xbfa58:$s12: BTRESULTUDP 0xbfefc:$s12: BTRESULTSyn 0xc0c28:$s12: BTRESULTVisit 0xc0f90:$s12: BTRESULTHTTP
21.2.msdcsc.exe.4b4dcb4.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x3dac2:$e: KeepAlive 0xc393e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q
21.2.msdcsc.exe.4b4dcb4.6.raw.unpack	DarkComet_1	DarkComet RAT	botherder https://github.com/botherder	0xbb89c:$bot1: #BOT#OpenUrl 0xbb918:$bot2: #BOT#Ping 0xbb960:$bot3: #BOT#RunPrompt 0xbba20:$bot4: #BOT#SvrUninstall 0xbbb68:$bot5: #BOT#URLDownload 0xbba80:$bot6: #BOT#URLUpdate 0xbb884:$bot7: #BOT#VisitUrl 0xbb9c4:$bot8: #BOT#CloseServer 0xbbc0c:$ddos1: DDOSHTTPFLOOD 0xbbc24:$ddos2: DDOSSYNFLOOD 0xbbc3c:$ddos3: DDOSUDPFLOOD 0xbb25c:$keylogger1: ActiveOnlineKeylogger 0xbb27e:$keylogger1: ActiveOnlineKeylogger 0xbb27c:$keylogger2: UnActiveOnlineKeylogger 0xbb2d8:$keylogger3: ActiveOfflineKeylogger 0xbb2fa:$keylogger3: ActiveOfflineKeylogger 0xbb2f8:$keylogger4: UnActiveOfflineKeylogger 0xbbf04:$shell1: ACTIVEREMOTESHELL 0xbbf30:$shell2: SUBMREMOTESHELL 0xbbf48:$shell3: KILLREMOTESHELL
21.2.msdcsc.exe.4b4dcb4.6.raw.unpack	DarkComet_3	unknown	Kevin Breen <kevin@techanarchy.net>	0xbba80:$a1: #BOT#URLUpdate 0xbb999:$a2: Command successfully executed! 0x3e9dc:$b1: FastMM Borland Edition 0x69520:$b2: %s, ClassID: %s 0xb03fc:$b3: I wasn't able to open the hosts file 0xbb884:$b4: #BOT#VisitUrl 0xaa794:$b5: #KCMDDC
21.2.msdcsc.exe.4b4dcb4.6.raw.unpack	DarkComet_4	unknown	unknown	0xbb884:$a1: #BOT# 0xbb89c:$a1: #BOT# 0xbb918:$a1: #BOT# 0xbb960:$a1: #BOT# 0xbb9c4:$a1: #BOT# 0xbba20:$a1: #BOT# 0xbba80:$a1: #BOT# 0xbbb68:$a1: #BOT# 0xbbfa0:$a2: WEBCAMSTOP 0xbb33c:$a3: UnActiveOnlineKeyStrokes 0xbb7ec:$a4: #SendTaskMgr 0xbbc90:$a5: #RemoteScreenSize 0xbaae4:$a6: ping 127.0.0.1 -n 4 > NUL &&
21.2.msdcsc.exe.4b4dcb4.6.raw.unpack	Windows_Trojan_Darkcomet_1df27bcc	unknown	unknown	0xc0f90:$a1: BTRESULTHTTP Flood\|Http Flood task finished!\| 0xbb901:$a2: is now open!\| 0xbb25c:$a3: ActiveOnlineKeylogger 0xbb960:$a4: #BOT#RunPrompt 0xbaa08:$a5: GETMONITORS
21.2.msdcsc.exe.4b4dcb4.6.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
33.2.dhcpmon.exe.3a1e41c.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28279:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x282a6:$x2: IClientNetworkHost
33.2.dhcpmon.exe.3a1e41c.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28279:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29354:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x28293:$s5: IClientLoggingHost
33.2.dhcpmon.exe.3a1e41c.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
33.2.dhcpmon.exe.3a1e41c.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0x28244:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0x28279:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0x28238:$i2: IClientData 0xf78e:$i3: IClientNetwork 0x2825a:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0x28269:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0x28293:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0x282a6:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0x282b9:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0x282c7:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0x282e3:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin
33.2.dhcpmon.exe.3a1e41c.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0x28279:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x28244:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x2d1bf:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0x2d12e:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost 0x28293:$b9: IClientLoggingHost
19.2.JUNE STUB.EXE.3423ee4.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
19.2.JUNE STUB.EXE.3423ee4.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
19.2.JUNE STUB.EXE.3423ee4.1.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2d96:$x2: NanoCore.ClientPlugin 0x2dbb:$x3: NanoCore.ClientPluginHost 0x2d87:$i3: IClientNetwork 0x2dac:$i4: IClientAppHost 0x2dd5:$i5: IClientDataHost 0x2de5:$i7: IClientNetworkHost 0x2df8:$i9: IClientNameObjectCollection 0x2e1d:$i10: IClientReadOnlyNameObjectCollection 0x2bce:$s1: ClientPlugin 0x2d9f:$s1: ClientPlugin
19.2.JUNE STUB.EXE.3423ee4.1.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2dbb:$a1: NanoCore.ClientPluginHost 0x2d96:$a2: NanoCore.ClientPlugin 0x6758:$b1: get_BuilderSettings 0x2dac:$b4: IClientAppHost
19.2.JUNE STUB.EXE.5d14629.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
19.2.JUNE STUB.EXE.5d14629.11.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
19.2.JUNE STUB.EXE.5d14629.11.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.JUNE STUB.EXE.5d14629.11.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb14f:$x2: NanoCore.ClientPlugin 0xb184:$x3: NanoCore.ClientPluginHost 0xb143:$i2: IClientData 0xb165:$i3: IClientNetwork 0xb174:$i5: IClientDataHost 0xb19e:$i6: IClientLoggingHost 0xb1b1:$i7: IClientNetworkHost 0xb1c4:$i8: IClientUIHost 0xb1d2:$i9: IClientNameObjectCollection 0xb1ee:$i10: IClientReadOnlyNameObjectCollection 0xaf41:$s1: ClientPlugin 0xb158:$s1: ClientPlugin 0x10179:$s6: get_ClientSettings
19.2.JUNE STUB.EXE.5d14629.11.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb184:$a1: NanoCore.ClientPluginHost 0xb14f:$a2: NanoCore.ClientPlugin 0x100ca:$b1: get_BuilderSettings 0x10039:$b7: LogClientException 0xb19e:$b9: IClientLoggingHost
19.2.JUNE STUB.EXE.6c10000.14.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
19.2.JUNE STUB.EXE.6c10000.14.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
19.2.JUNE STUB.EXE.6c10000.14.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x4b87:$i3: IClientNetwork 0x4bac:$i4: IClientAppHost 0x4bd5:$i5: IClientDataHost 0x4be5:$i7: IClientNetworkHost 0x4bf8:$i9: IClientNameObjectCollection 0x4c1d:$i10: IClientReadOnlyNameObjectCollection 0x49ce:$s1: ClientPlugin 0x4b9f:$s1: ClientPlugin
19.2.JUNE STUB.EXE.6c10000.14.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x4b96:$a2: NanoCore.ClientPlugin 0x8558:$b1: get_BuilderSettings 0x4bac:$b4: IClientAppHost
19.2.JUNE STUB.EXE.442df9c.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
19.2.JUNE STUB.EXE.442df9c.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x10937:$x2: NanoCore.ClientPluginHost 0x13c74:$s4: PipeCreated 0x10924:$s5: IClientLoggingHost
12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xb0fd9:$x1: NanoCore.ClientPluginHost 0xb1016:$x2: IClientNetworkHost 0xb4b49:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
19.2.JUNE STUB.EXE.442df9c.8.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1090e:$x2: NanoCore.ClientPlugin 0x10937:$x3: NanoCore.ClientPluginHost 0x108ff:$i3: IClientNetwork 0x10924:$i6: IClientLoggingHost 0x10951:$i7: IClientNetworkHost 0x10964:$i8: IClientUIHost 0x1066e:$s1: ClientPlugin 0x10917:$s1: ClientPlugin
19.2.JUNE STUB.EXE.442df9c.8.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x10937:$a1: NanoCore.ClientPluginHost 0x1090e:$a2: NanoCore.ClientPlugin 0x15962:$b7: LogClientException 0x10924:$b9: IClientLoggingHost
12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack	Malware_QA_update	VT Research QA uploaded malware - file update.exe	Florian Roth (Nextron Systems)	0x7d124:$x1: UnActiveOfflineKeylogger 0x8422c:$x2: BTRESULTDownload File\|Mass Download : File Downloaded , Executing new one in temp dir...\| 0x7d088:$x3: ActiveOnlineKeylogger 0x7d934:$x6: BTRESULTUpdate from URL\|Update : File Downloaded , Executing new one in temp dir...\| 0xdf160:$s1: MSRSAAP.EXE 0x7d7c5:$s2: Command successfully executed!\| 0x65198:$s3: BTMemoryLoadLibary: Get DLLEntyPoint failed 0x72228:$s4: I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer! 0x72ee4:$s5: \Internet Explorer\iexplore.exe 0x7c910:$s6: ping 127.0.0.1 -n 4 > NUL && " 0x65384:$s7: BTMemoryGetProcAddress: DLL doesn't export anything 0x82c30:$s8: POST /index.php/1.0
12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack	RAT_DarkComet	Detects DarkComet RAT	Kevin Breen <kevin@techanarchy.net>	0x7d8ac:$a1: #BOT#URLUpdate 0x7d7c5:$a2: Command successfully executed! 0x808:$b1: FastMM Borland Edition 0x2b34c:$b2: %s, ClassID: %s 0x72228:$b3: I wasn't able to open the hosts file 0x7d6b0:$b4: #BOT#VisitUrl 0x6c5c0:$b5: #KCMDDC
12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack	JoeSecurity_DarkCometRat	Yara detected DarkComet	Kevin Breen <kevin@techanarchy.net>
12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xb0d41:$x1: NanoCore Client 0xb0d51:$x1: NanoCore Client 0xb0f99:$x2: NanoCore.ClientPlugin 0xb0fd9:$x3: NanoCore.ClientPluginHost 0xb0f8e:$i1: IClientApp 0xb0faf:$i2: IClientData 0xb0fbb:$i3: IClientNetwork 0xb0fca:$i4: IClientAppHost 0xb0ff3:$i5: IClientDataHost 0xb1003:$i6: IClientLoggingHost 0xb1016:$i7: IClientNetworkHost 0xb1029:$i8: IClientUIHost 0xb1037:$i9: IClientNameObjectCollection 0xb1053:$i10: IClientReadOnlyNameObjectCollection 0xb0da0:$s1: ClientPlugin 0xb0fa2:$s1: ClientPlugin 0xb1496:$s2: EndPoint 0xb149f:$s3: IPAddress 0xb14a9:$s4: IPEndPoint 0xb2edf:$s6: get_ClientSettings 0xb3483:$s7: get_Connected
12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack	MALWARE_Win_DarkComet	Detects DarkComet	ditekSHen	0x2b34c:$s1: %s, ClassID: %s 0x2b618:$s2: %s, ProgID: "%s" 0x6c5c0:$s3: #KCMDDC51# 0x7d6b0:$s4: #BOT#VisitUrl 0x7d6c8:$s5: #BOT#OpenUrl 0x7d744:$s6: #BOT#Ping 0x7d78c:$s7: #BOT#RunPrompt 0x7d7f0:$s8: #BOT#CloseServer 0x7d84c:$s9: #BOT#SvrUninstall 0x7d8ac:$s10: #BOT#URLUpdate 0x7d994:$s11: #BOT#URLDownload 0x7d710:$s12: BTRESULTOpen 0x7d758:$s12: BTRESULTPing\|Respond 0x7d7a4:$s12: BTRESULTRun 0x7d80c:$s12: BTRESULTClose 0x7d868:$s12: BTRESULTUninstall\|uninstall 0x7d934:$s12: BTRESULTUpdate 0x81884:$s12: BTRESULTUDP 0x81d28:$s12: BTRESULTSyn 0x82a54:$s12: BTRESULTVisit 0x82dbc:$s12: BTRESULTHTTP
12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb0d41:$a: NanoCore 0xb0d51:$a: NanoCore 0xb0f85:$a: NanoCore 0xb0f99:$a: NanoCore 0xb0fd9:$a: NanoCore 0xb0da0:$b: ClientPlugin 0xb0fa2:$b: ClientPlugin 0xb0fe2:$b: ClientPlugin 0xb0ec7:$c: ProjectData 0xb18ce:$d: DESCrypto 0x8576a:$e: KeepAlive 0xb929a:$e: KeepAlive 0xde90e:$e: KeepAlive 0xb7288:$g: LogClientMessage 0xb3483:$i: get_Connected 0xb1c04:$j: #=q 0xb1c34:$j: #=q 0xb1c50:$j: #=q 0xb1c80:$j: #=q 0xb1c9c:$j: #=q 0xb1cb8:$j: #=q
12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack	DarkComet_1	DarkComet RAT	botherder https://github.com/botherder	0x7d6c8:$bot1: #BOT#OpenUrl 0x7d744:$bot2: #BOT#Ping 0x7d78c:$bot3: #BOT#RunPrompt 0x7d84c:$bot4: #BOT#SvrUninstall 0x7d994:$bot5: #BOT#URLDownload 0x7d8ac:$bot6: #BOT#URLUpdate 0x7d6b0:$bot7: #BOT#VisitUrl 0x7d7f0:$bot8: #BOT#CloseServer 0x7da38:$ddos1: DDOSHTTPFLOOD 0x7da50:$ddos2: DDOSSYNFLOOD 0x7da68:$ddos3: DDOSUDPFLOOD 0x7d088:$keylogger1: ActiveOnlineKeylogger 0x7d0aa:$keylogger1: ActiveOnlineKeylogger 0x7d0a8:$keylogger2: UnActiveOnlineKeylogger 0x7d104:$keylogger3: ActiveOfflineKeylogger 0x7d126:$keylogger3: ActiveOfflineKeylogger 0x7d124:$keylogger4: UnActiveOfflineKeylogger 0x7dd30:$shell1: ACTIVEREMOTESHELL 0x7dd5c:$shell2: SUBMREMOTESHELL 0x7dd74:$shell3: KILLREMOTESHELL
12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack	DarkComet_3	unknown	Kevin Breen <kevin@techanarchy.net>	0x7d8ac:$a1: #BOT#URLUpdate 0x7d7c5:$a2: Command successfully executed! 0x808:$b1: FastMM Borland Edition 0x2b34c:$b2: %s, ClassID: %s 0x72228:$b3: I wasn't able to open the hosts file 0x7d6b0:$b4: #BOT#VisitUrl 0x6c5c0:$b5: #KCMDDC
12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack	DarkComet_4	unknown	unknown	0x7d6b0:$a1: #BOT# 0x7d6c8:$a1: #BOT# 0x7d744:$a1: #BOT# 0x7d78c:$a1: #BOT# 0x7d7f0:$a1: #BOT# 0x7d84c:$a1: #BOT# 0x7d8ac:$a1: #BOT# 0x7d994:$a1: #BOT# 0x7ddcc:$a2: WEBCAMSTOP 0x7d168:$a3: UnActiveOnlineKeyStrokes 0x7d618:$a4: #SendTaskMgr 0x7dabc:$a5: #RemoteScreenSize 0x7c910:$a6: ping 127.0.0.1 -n 4 > NUL &&
12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack	Windows_Trojan_Darkcomet_1df27bcc	unknown	unknown	0x82dbc:$a1: BTRESULTHTTP Flood\|Http Flood task finished!\| 0x7d72d:$a2: is now open!\| 0x7d088:$a3: ActiveOnlineKeylogger 0x7d78c:$a4: #BOT#RunPrompt 0x7c834:$a5: GETMONITORS
12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xb0fd9:$a1: NanoCore.ClientPluginHost 0xb0f99:$a2: NanoCore.ClientPlugin 0xb2ef2:$b1: get_BuilderSettings 0xb0df5:$b2: ClientLoaderForm.resources 0xb2612:$b3: PluginCommand 0xb0fca:$b4: IClientAppHost 0xbb44a:$b5: GetBlockHash 0xb354a:$b6: AddHostEntry 0xb723d:$b7: LogClientException 0xb34b7:$b8: PipeExists 0xb1003:$b9: IClientLoggingHost
19.2.JUNE STUB.EXE.441f6f8.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
19.2.JUNE STUB.EXE.441f6f8.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
19.2.JUNE STUB.EXE.441f6f8.5.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1f1b2:$x2: NanoCore.ClientPlugin 0x1f1db:$x3: NanoCore.ClientPluginHost 0x1f1a3:$i3: IClientNetwork 0x1f1c8:$i6: IClientLoggingHost 0x1f1f5:$i7: IClientNetworkHost 0x1f208:$i8: IClientUIHost 0x1ef12:$s1: ClientPlugin 0x1f1bb:$s1: ClientPlugin
19.2.JUNE STUB.EXE.441f6f8.5.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1f1db:$a1: NanoCore.ClientPluginHost 0x1f1b2:$a2: NanoCore.ClientPlugin 0x24206:$b7: LogClientException 0x1f1c8:$b9: IClientLoggingHost
19.2.JUNE STUB.EXE.6d30000.27.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
19.2.JUNE STUB.EXE.6d30000.27.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
19.2.JUNE STUB.EXE.6d30000.27.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x5fc9:$x2: NanoCore.ClientPlugin 0x5fee:$x3: NanoCore.ClientPluginHost 0x5fba:$i3: IClientNetwork 0x5fdf:$i4: IClientAppHost 0x6008:$i5: IClientDataHost 0x6018:$i6: IClientLoggingHost 0x602b:$i7: IClientNetworkHost 0x603e:$i8: IClientUIHost 0x604c:$i9: IClientNameObjectCollection 0x5d70:$s1: ClientPlugin 0x5fd2:$s1: ClientPlugin
19.2.JUNE STUB.EXE.6d30000.27.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x5fee:$a1: NanoCore.ClientPluginHost 0x5fc9:$a2: NanoCore.ClientPlugin 0x5fdf:$b4: IClientAppHost 0xa4ce:$b7: LogClientException 0x6018:$b9: IClientLoggingHost
12.2.A1DB2JVWGG.CNT.exe.4ad84c.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.2.A1DB2JVWGG.CNT.exe.4ad84c.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
12.2.A1DB2JVWGG.CNT.exe.4ad84c.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.A1DB2JVWGG.CNT.exe.4ad84c.1.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
12.2.A1DB2JVWGG.CNT.exe.4ad84c.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
12.2.A1DB2JVWGG.CNT.exe.4ad84c.1.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
19.0.JUNE STUB.EXE.cc0000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
19.0.JUNE STUB.EXE.cc0000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
19.0.JUNE STUB.EXE.cc0000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.0.JUNE STUB.EXE.cc0000.0.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
19.0.JUNE STUB.EXE.cc0000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
19.0.JUNE STUB.EXE.cc0000.0.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
19.2.JUNE STUB.EXE.4424397.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
19.2.JUNE STUB.EXE.4424397.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x1a53c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost
19.2.JUNE STUB.EXE.4424397.6.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1a513:$x2: NanoCore.ClientPlugin 0x1a53c:$x3: NanoCore.ClientPluginHost 0x1a504:$i3: IClientNetwork 0x1a529:$i6: IClientLoggingHost 0x1a556:$i7: IClientNetworkHost 0x1a569:$i8: IClientUIHost 0x1a273:$s1: ClientPlugin 0x1a51c:$s1: ClientPlugin
19.2.JUNE STUB.EXE.4424397.6.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1a53c:$a1: NanoCore.ClientPluginHost 0x1a513:$a2: NanoCore.ClientPlugin 0x1f567:$b7: LogClientException 0x1a529:$b9: IClientLoggingHost
19.2.JUNE STUB.EXE.6ca0000.20.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x3deb:$x1: NanoCore.ClientPluginHost 0x3f48:$x2: IClientNetworkHost
19.2.JUNE STUB.EXE.6ca0000.20.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x3deb:$x2: NanoCore.ClientPluginHost 0x4d41:$s3: PipeExists 0x3fe1:$s4: PipeCreated 0x3e05:$s5: IClientLoggingHost
19.2.JUNE STUB.EXE.6ca0000.20.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x3ed5:$x2: NanoCore.ClientPlugin 0x3deb:$x3: NanoCore.ClientPluginHost 0x3eeb:$i3: IClientNetwork 0x3e24:$i5: IClientDataHost 0x3e05:$i6: IClientLoggingHost 0x3f48:$i7: IClientNetworkHost 0x3e43:$i8: IClientUIHost 0x4d55:$i9: IClientNameObjectCollection 0x38fc:$s1: ClientPlugin 0x3ede:$s1: ClientPlugin 0x4d71:$s6: get_ClientSettings
19.2.JUNE STUB.EXE.6ca0000.20.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x3deb:$a1: NanoCore.ClientPluginHost 0x3ed5:$a2: NanoCore.ClientPlugin 0x572e:$b7: LogClientException 0x4d41:$b8: PipeExists 0x3e05:$b9: IClientLoggingHost
12.2.A1DB2JVWGG.CNT.exe.400000.0.raw.unpack	Malware_QA_update	VT Research QA uploaded malware - file update.exe	Florian Roth (Nextron Systems)	0x7dd24:$x1: UnActiveOfflineKeylogger 0x84e2c:$x2: BTRESULTDownload File\|Mass Download : File Downloaded , Executing new one in temp dir...\| 0x7dc88:$x3: ActiveOnlineKeylogger 0x7e534:$x6: BTRESULTUpdate from URL\|Update : File Downloaded , Executing new one in temp dir...\| 0x7e3c5:$s2: Command successfully executed!\| 0x65d98:$s3: BTMemoryLoadLibary: Get DLLEntyPoint failed 0x72e28:$s4: I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer! 0x73ae4:$s5: \Internet Explorer\iexplore.exe 0x7d510:$s6: ping 127.0.0.1 -n 4 > NUL && " 0x65f84:$s7: BTMemoryGetProcAddress: DLL doesn't export anything 0x83830:$s8: POST /index.php/1.0
12.2.A1DB2JVWGG.CNT.exe.400000.0.raw.unpack	RAT_DarkComet	Detects DarkComet RAT	Kevin Breen <kevin@techanarchy.net>	0x7e4ac:$a1: #BOT#URLUpdate 0x7e3c5:$a2: Command successfully executed! 0x1408:$b1: FastMM Borland Edition 0x2bf4c:$b2: %s, ClassID: %s 0x72e28:$b3: I wasn't able to open the hosts file 0x7e2b0:$b4: #BOT#VisitUrl 0x6d1c0:$b5: #KCMDDC
12.2.A1DB2JVWGG.CNT.exe.400000.0.raw.unpack	JoeSecurity_DarkCometRat	Yara detected DarkComet	Kevin Breen <kevin@techanarchy.net>
12.2.A1DB2JVWGG.CNT.exe.400000.0.raw.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
12.2.A1DB2JVWGG.CNT.exe.400000.0.raw.unpack	MALWARE_Win_DarkComet	Detects DarkComet	ditekSHen	0x2bf4c:$s1: %s, ClassID: %s 0x2c218:$s2: %s, ProgID: "%s" 0x6d1c0:$s3: #KCMDDC51# 0x7e2b0:$s4: #BOT#VisitUrl 0x7e2c8:$s5: #BOT#OpenUrl 0x7e344:$s6: #BOT#Ping 0x7e38c:$s7: #BOT#RunPrompt 0x7e3f0:$s8: #BOT#CloseServer 0x7e44c:$s9: #BOT#SvrUninstall 0x7e4ac:$s10: #BOT#URLUpdate 0x7e594:$s11: #BOT#URLDownload 0x7e310:$s12: BTRESULTOpen 0x7e358:$s12: BTRESULTPing\|Respond 0x7e3a4:$s12: BTRESULTRun 0x7e40c:$s12: BTRESULTClose 0x7e468:$s12: BTRESULTUninstall\|uninstall 0x7e534:$s12: BTRESULTUpdate 0x82484:$s12: BTRESULTUDP 0x82928:$s12: BTRESULTSyn 0x83654:$s12: BTRESULTVisit 0x839bc:$s12: BTRESULTHTTP
12.2.A1DB2JVWGG.CNT.exe.400000.0.raw.unpack	DarkComet_1	DarkComet RAT	botherder https://github.com/botherder	0x7e2c8:$bot1: #BOT#OpenUrl 0x7e344:$bot2: #BOT#Ping 0x7e38c:$bot3: #BOT#RunPrompt 0x7e44c:$bot4: #BOT#SvrUninstall 0x7e594:$bot5: #BOT#URLDownload 0x7e4ac:$bot6: #BOT#URLUpdate 0x7e2b0:$bot7: #BOT#VisitUrl 0x7e3f0:$bot8: #BOT#CloseServer 0x7e638:$ddos1: DDOSHTTPFLOOD 0x7e650:$ddos2: DDOSSYNFLOOD 0x7e668:$ddos3: DDOSUDPFLOOD 0x7dc88:$keylogger1: ActiveOnlineKeylogger 0x7dcaa:$keylogger1: ActiveOnlineKeylogger 0x7dca8:$keylogger2: UnActiveOnlineKeylogger 0x7dd04:$keylogger3: ActiveOfflineKeylogger 0x7dd26:$keylogger3: ActiveOfflineKeylogger 0x7dd24:$keylogger4: UnActiveOfflineKeylogger 0x7e930:$shell1: ACTIVEREMOTESHELL 0x7e95c:$shell2: SUBMREMOTESHELL 0x7e974:$shell3: KILLREMOTESHELL
12.2.A1DB2JVWGG.CNT.exe.400000.0.raw.unpack	DarkComet_3	unknown	Kevin Breen <kevin@techanarchy.net>	0x7e4ac:$a1: #BOT#URLUpdate 0x7e3c5:$a2: Command successfully executed! 0x1408:$b1: FastMM Borland Edition 0x2bf4c:$b2: %s, ClassID: %s 0x72e28:$b3: I wasn't able to open the hosts file 0x7e2b0:$b4: #BOT#VisitUrl 0x6d1c0:$b5: #KCMDDC
12.2.A1DB2JVWGG.CNT.exe.400000.0.raw.unpack	DarkComet_4	unknown	unknown	0x7e2b0:$a1: #BOT# 0x7e2c8:$a1: #BOT# 0x7e344:$a1: #BOT# 0x7e38c:$a1: #BOT# 0x7e3f0:$a1: #BOT# 0x7e44c:$a1: #BOT# 0x7e4ac:$a1: #BOT# 0x7e594:$a1: #BOT# 0x7e9cc:$a2: WEBCAMSTOP 0x7dd68:$a3: UnActiveOnlineKeyStrokes 0x7e218:$a4: #SendTaskMgr 0x7e6bc:$a5: #RemoteScreenSize 0x7d510:$a6: ping 127.0.0.1 -n 4 > NUL &&
12.2.A1DB2JVWGG.CNT.exe.400000.0.raw.unpack	Windows_Trojan_Darkcomet_1df27bcc	unknown	unknown	0x839bc:$a1: BTRESULTHTTP Flood\|Http Flood task finished!\| 0x7e32d:$a2: is now open!\| 0x7dc88:$a3: ActiveOnlineKeylogger 0x7e38c:$a4: #BOT#RunPrompt 0x7d434:$a5: GETMONITORS
0.2.A1DB2JVWGG.CNT.exe.41a691c.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.A1DB2JVWGG.CNT.exe.41a691c.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.A1DB2JVWGG.CNT.exe.41a691c.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.A1DB2JVWGG.CNT.exe.41a691c.6.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
0.2.A1DB2JVWGG.CNT.exe.41a691c.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.A1DB2JVWGG.CNT.exe.41a691c.6.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
19.2.JUNE STUB.EXE.6c20000.15.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
19.2.JUNE STUB.EXE.6c20000.15.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
19.2.JUNE STUB.EXE.6c20000.15.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x8b70:$i3: IClientNetwork 0x8b95:$i5: IClientDataHost 0x8bbf:$i6: IClientLoggingHost 0x8bd2:$i7: IClientNetworkHost 0x8be5:$i9: IClientNameObjectCollection 0x8902:$s1: ClientPlugin 0x8b88:$s1: ClientPlugin
19.2.JUNE STUB.EXE.6c20000.15.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x8bbf:$b9: IClientLoggingHost
19.2.JUNE STUB.EXE.5d10000.12.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
19.2.JUNE STUB.EXE.5d10000.12.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
19.2.JUNE STUB.EXE.5d10000.12.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.JUNE STUB.EXE.5d10000.12.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xf778:$x2: NanoCore.ClientPlugin 0xf7ad:$x3: NanoCore.ClientPluginHost 0xf76c:$i2: IClientData 0xf78e:$i3: IClientNetwork 0xf79d:$i5: IClientDataHost 0xf7c7:$i6: IClientLoggingHost 0xf7da:$i7: IClientNetworkHost 0xf7ed:$i8: IClientUIHost 0xf7fb:$i9: IClientNameObjectCollection 0xf817:$i10: IClientReadOnlyNameObjectCollection 0xf56a:$s1: ClientPlugin 0xf781:$s1: ClientPlugin 0x147a2:$s6: get_ClientSettings
19.2.JUNE STUB.EXE.5d10000.12.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xf7ad:$a1: NanoCore.ClientPluginHost 0xf778:$a2: NanoCore.ClientPlugin 0x146f3:$b1: get_BuilderSettings 0x14662:$b7: LogClientException 0xf7c7:$b9: IClientLoggingHost
0.2.A1DB2JVWGG.CNT.exe.2f60c98.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
19.2.JUNE STUB.EXE.6d04c9f.25.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
19.2.JUNE STUB.EXE.6d04c9f.25.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x1a53c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost
19.2.JUNE STUB.EXE.6d04c9f.25.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1a513:$x2: NanoCore.ClientPlugin 0x1a53c:$x3: NanoCore.ClientPluginHost 0x1a504:$i3: IClientNetwork 0x1a529:$i6: IClientLoggingHost 0x1a556:$i7: IClientNetworkHost 0x1a569:$i8: IClientUIHost 0x1a273:$s1: ClientPlugin 0x1a51c:$s1: ClientPlugin
19.2.JUNE STUB.EXE.6d04c9f.25.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1a53c:$a1: NanoCore.ClientPluginHost 0x1a513:$a2: NanoCore.ClientPlugin 0x1f567:$b7: LogClientException 0x1a529:$b9: IClientLoggingHost
19.2.JUNE STUB.EXE.4588b4e.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
19.2.JUNE STUB.EXE.4588b4e.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
19.2.JUNE STUB.EXE.4588b4e.9.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x16e2:$x2: NanoCore.ClientPlugin 0x170b:$x3: NanoCore.ClientPluginHost 0x16d3:$i3: IClientNetwork 0x16f8:$i6: IClientLoggingHost 0x1725:$i7: IClientNetworkHost 0x154e:$s1: ClientPlugin 0x16eb:$s1: ClientPlugin
19.2.JUNE STUB.EXE.4588b4e.9.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x170b:$a1: NanoCore.ClientPluginHost 0x16e2:$a2: NanoCore.ClientPlugin 0x3a54:$b7: LogClientException 0x16f8:$b9: IClientLoggingHost
0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0xdc9cd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0xdca0a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xe053d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.raw.unpack	Malware_QA_update	VT Research QA uploaded malware - file update.exe	Florian Roth (Nextron Systems)	0xbb2f8:$x1: UnActiveOfflineKeylogger 0xc2400:$x2: BTRESULTDownload File\|Mass Download : File Downloaded , Executing new one in temp dir...\| 0xbb25c:$x3: ActiveOnlineKeylogger 0xbbb08:$x6: BTRESULTUpdate from URL\|Update : File Downloaded , Executing new one in temp dir...\| 0x3e314:$s1: MSRSAAP.EXE 0x10ab54:$s1: MSRSAAP.EXE 0xbb999:$s2: Command successfully executed!\| 0xa336c:$s3: BTMemoryLoadLibary: Get DLLEntyPoint failed 0xb03fc:$s4: I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer! 0xb10b8:$s5: \Internet Explorer\iexplore.exe 0xbaae4:$s6: ping 127.0.0.1 -n 4 > NUL && " 0xa3558:$s7: BTMemoryGetProcAddress: DLL doesn't export anything 0xc0e04:$s8: POST /index.php/1.0
0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.raw.unpack	RAT_DarkComet	Detects DarkComet RAT	Kevin Breen <kevin@techanarchy.net>	0xbba80:$a1: #BOT#URLUpdate 0xbb999:$a2: Command successfully executed! 0x3e9dc:$b1: FastMM Borland Edition 0x69520:$b2: %s, ClassID: %s 0xb03fc:$b3: I wasn't able to open the hosts file 0xbb884:$b4: #BOT#VisitUrl 0xaa794:$b5: #KCMDDC
0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.raw.unpack	JoeSecurity_DarkCometRat	Yara detected DarkComet	Kevin Breen <kevin@techanarchy.net>
0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.raw.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0xdc735:$x1: NanoCore Client 0xdc745:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0xdc98d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0xdc9cd:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0xdc982:$i1: IClientApp 0x10163:$i2: IClientData 0xdc9a3:$i2: IClientData 0x1016f:$i3: IClientNetwork 0xdc9af:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0xdc9be:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0xdc9e7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0xdc9f7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost
0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.raw.unpack	MALWARE_Win_DarkComet	Detects DarkComet	ditekSHen	0x69520:$s1: %s, ClassID: %s 0x697ec:$s2: %s, ProgID: "%s" 0xaa794:$s3: #KCMDDC51# 0xbb884:$s4: #BOT#VisitUrl 0xbb89c:$s5: #BOT#OpenUrl 0xbb918:$s6: #BOT#Ping 0xbb960:$s7: #BOT#RunPrompt 0xbb9c4:$s8: #BOT#CloseServer 0xbba20:$s9: #BOT#SvrUninstall 0xbba80:$s10: #BOT#URLUpdate 0xbbb68:$s11: #BOT#URLDownload 0xbb8e4:$s12: BTRESULTOpen 0xbb92c:$s12: BTRESULTPing\|Respond 0xbb978:$s12: BTRESULTRun 0xbb9e0:$s12: BTRESULTClose 0xbba3c:$s12: BTRESULTUninstall\|uninstall 0xbbb08:$s12: BTRESULTUpdate 0xbfa58:$s12: BTRESULTUDP 0xbfefc:$s12: BTRESULTSyn 0xc0c28:$s12: BTRESULTVisit 0xc0f90:$s12: BTRESULTHTTP
0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xdc735:$a: NanoCore 0xdc745:$a: NanoCore 0xdc979:$a: NanoCore 0xdc98d:$a: NanoCore 0xdc9cd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0xdc794:$b: ClientPlugin 0xdc996:$b: ClientPlugin 0xdc9d6:$b: ClientPlugin 0x1007b:$c: ProjectData 0xdc8bb:$c: ProjectData 0x10a82:$d: DESCrypto 0xdd2c2:$d: DESCrypto 0x1844e:$e: KeepAlive
0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.raw.unpack	DarkComet_1	DarkComet RAT	botherder https://github.com/botherder	0xbb89c:$bot1: #BOT#OpenUrl 0xbb918:$bot2: #BOT#Ping 0xbb960:$bot3: #BOT#RunPrompt 0xbba20:$bot4: #BOT#SvrUninstall 0xbbb68:$bot5: #BOT#URLDownload 0xbba80:$bot6: #BOT#URLUpdate 0xbb884:$bot7: #BOT#VisitUrl 0xbb9c4:$bot8: #BOT#CloseServer 0xbbc0c:$ddos1: DDOSHTTPFLOOD 0xbbc24:$ddos2: DDOSSYNFLOOD 0xbbc3c:$ddos3: DDOSUDPFLOOD 0xbb25c:$keylogger1: ActiveOnlineKeylogger 0xbb27e:$keylogger1: ActiveOnlineKeylogger 0xbb27c:$keylogger2: UnActiveOnlineKeylogger 0xbb2d8:$keylogger3: ActiveOfflineKeylogger 0xbb2fa:$keylogger3: ActiveOfflineKeylogger 0xbb2f8:$keylogger4: UnActiveOfflineKeylogger 0xbbf04:$shell1: ACTIVEREMOTESHELL 0xbbf30:$shell2: SUBMREMOTESHELL 0xbbf48:$shell3: KILLREMOTESHELL
0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.raw.unpack	DarkComet_3	unknown	Kevin Breen <kevin@techanarchy.net>	0xbba80:$a1: #BOT#URLUpdate 0xbb999:$a2: Command successfully executed! 0x3e9dc:$b1: FastMM Borland Edition 0x69520:$b2: %s, ClassID: %s 0xb03fc:$b3: I wasn't able to open the hosts file 0xbb884:$b4: #BOT#VisitUrl 0xaa794:$b5: #KCMDDC
0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.raw.unpack	DarkComet_4	unknown	unknown	0xbb884:$a1: #BOT# 0xbb89c:$a1: #BOT# 0xbb918:$a1: #BOT# 0xbb960:$a1: #BOT# 0xbb9c4:$a1: #BOT# 0xbba20:$a1: #BOT# 0xbba80:$a1: #BOT# 0xbbb68:$a1: #BOT# 0xbbfa0:$a2: WEBCAMSTOP 0xbb33c:$a3: UnActiveOnlineKeyStrokes 0xbb7ec:$a4: #SendTaskMgr 0xbbc90:$a5: #RemoteScreenSize 0xbaae4:$a6: ping 127.0.0.1 -n 4 > NUL &&
0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.raw.unpack	Windows_Trojan_Darkcomet_1df27bcc	unknown	unknown	0xc0f90:$a1: BTRESULTHTTP Flood\|Http Flood task finished!\| 0xbb901:$a2: is now open!\| 0xbb25c:$a3: ActiveOnlineKeylogger 0xbb960:$a4: #BOT#RunPrompt 0xbaa08:$a5: GETMONITORS
0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0xdc9cd:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0xdc98d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xde8e6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0xdc7e9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0xde006:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0xdc9be:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0xe6e3e:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0xdef3e:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0xe2c31:$b7: LogClientException 0x1266b:$b8: PipeExists 0xdeeab:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
19.2.JUNE STUB.EXE.6d30000.27.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x41ee:$x1: NanoCore.ClientPluginHost 0x422b:$x2: IClientNetworkHost
19.2.JUNE STUB.EXE.6d30000.27.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x41ee:$x2: NanoCore.ClientPluginHost 0x7641:$s4: PipeCreated 0x4218:$s5: IClientLoggingHost
19.2.JUNE STUB.EXE.6d30000.27.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x41c9:$x2: NanoCore.ClientPlugin 0x41ee:$x3: NanoCore.ClientPluginHost 0x41ba:$i3: IClientNetwork 0x41df:$i4: IClientAppHost 0x4208:$i5: IClientDataHost 0x4218:$i6: IClientLoggingHost 0x422b:$i7: IClientNetworkHost 0x423e:$i8: IClientUIHost 0x424c:$i9: IClientNameObjectCollection 0x3f70:$s1: ClientPlugin 0x41d2:$s1: ClientPlugin
19.2.JUNE STUB.EXE.6d30000.27.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x41ee:$a1: NanoCore.ClientPluginHost 0x41c9:$a2: NanoCore.ClientPlugin 0x41df:$b4: IClientAppHost 0x86ce:$b7: LogClientException 0x4218:$b9: IClientLoggingHost
12.2.A1DB2JVWGG.CNT.exe.4ad84c.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.2.A1DB2JVWGG.CNT.exe.4ad84c.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
12.2.A1DB2JVWGG.CNT.exe.4ad84c.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.A1DB2JVWGG.CNT.exe.4ad84c.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
12.2.A1DB2JVWGG.CNT.exe.4ad84c.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x3dac2:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q
12.2.A1DB2JVWGG.CNT.exe.4ad84c.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
19.2.JUNE STUB.EXE.6d00000.24.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
19.2.JUNE STUB.EXE.6d00000.24.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
19.2.JUNE STUB.EXE.6d00000.24.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1d3b2:$x2: NanoCore.ClientPlugin 0x1d3db:$x3: NanoCore.ClientPluginHost 0x1d3a3:$i3: IClientNetwork 0x1d3c8:$i6: IClientLoggingHost 0x1d3f5:$i7: IClientNetworkHost 0x1d408:$i8: IClientUIHost 0x1d112:$s1: ClientPlugin 0x1d3bb:$s1: ClientPlugin
19.2.JUNE STUB.EXE.6d00000.24.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1d3db:$a1: NanoCore.ClientPluginHost 0x1d3b2:$a2: NanoCore.ClientPlugin 0x22406:$b7: LogClientException 0x1d3c8:$b9: IClientLoggingHost
19.2.JUNE STUB.EXE.6c10000.14.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
19.2.JUNE STUB.EXE.6c10000.14.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
19.2.JUNE STUB.EXE.6c10000.14.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2d96:$x2: NanoCore.ClientPlugin 0x2dbb:$x3: NanoCore.ClientPluginHost 0x2d87:$i3: IClientNetwork 0x2dac:$i4: IClientAppHost 0x2dd5:$i5: IClientDataHost 0x2de5:$i7: IClientNetworkHost 0x2df8:$i9: IClientNameObjectCollection 0x2e1d:$i10: IClientReadOnlyNameObjectCollection 0x2bce:$s1: ClientPlugin 0x2d9f:$s1: ClientPlugin
19.2.JUNE STUB.EXE.6c10000.14.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x2dbb:$a1: NanoCore.ClientPluginHost 0x2d96:$a2: NanoCore.ClientPlugin 0x6758:$b1: get_BuilderSettings 0x2dac:$b4: IClientAppHost
0.2.A1DB2JVWGG.CNT.exe.2f2f970.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
22.2.msdcsc.exe.504a4f4.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
22.2.msdcsc.exe.504a4f4.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
22.2.msdcsc.exe.504a4f4.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
22.2.msdcsc.exe.504a4f4.5.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
22.2.msdcsc.exe.504a4f4.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
22.2.msdcsc.exe.504a4f4.5.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe38d:$a1: NanoCore.ClientPluginHost 0xe34d:$a2: NanoCore.ClientPlugin 0x102a6:$b1: get_BuilderSettings 0xe1a9:$b2: ClientLoaderForm.resources 0xf9c6:$b3: PluginCommand 0xe37e:$b4: IClientAppHost 0x187fe:$b5: GetBlockHash 0x108fe:$b6: AddHostEntry 0x145f1:$b7: LogClientException 0x1086b:$b8: PipeExists 0xe3b7:$b9: IClientLoggingHost
19.2.JUNE STUB.EXE.33b13b0.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
19.2.JUNE STUB.EXE.33b13b0.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
19.2.JUNE STUB.EXE.33b13b0.0.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0xe29:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost 0xea2:$i8: IClientUIHost 0xed2:$i9: IClientNameObjectCollection 0xef7:$i10: IClientReadOnlyNameObjectCollection 0xe41:$s1: ClientPlugin 0x177c:$s1: ClientPlugin 0x1789:$s1: ClientPlugin 0x11f9:$s6: get_ClientSettings 0x1249:$s7: get_Connected
19.2.JUNE STUB.EXE.33b13b0.0.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost
33.2.dhcpmon.exe.3a195e6.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d0af:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d0dc:$x2: IClientNetworkHost
33.2.dhcpmon.exe.3a195e6.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d0af:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e18a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d0c9:$s5: IClientLoggingHost
33.2.dhcpmon.exe.3a195e6.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
33.2.dhcpmon.exe.3a195e6.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe38:$x2: NanoCore.ClientPlugin 0x145ae:$x2: NanoCore.ClientPlugin 0x2d07a:$x2: NanoCore.ClientPlugin 0xe75:$x3: NanoCore.ClientPluginHost 0x145e3:$x3: NanoCore.ClientPluginHost 0x2d0af:$x3: NanoCore.ClientPluginHost 0xe5a:$i1: IClientApp 0xe4e:$i2: IClientData 0x145a2:$i2: IClientData 0x2d06e:$i2: IClientData 0xe29:$i3: IClientNetwork 0x145c4:$i3: IClientNetwork 0x2d090:$i3: IClientNetwork 0xec3:$i4: IClientAppHost 0xe65:$i5: IClientDataHost 0x145d3:$i5: IClientDataHost 0x2d09f:$i5: IClientDataHost 0xeb0:$i6: IClientLoggingHost 0x145fd:$i6: IClientLoggingHost 0x2d0c9:$i6: IClientLoggingHost 0xe8f:$i7: IClientNetworkHost
33.2.dhcpmon.exe.3a195e6.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d065:$a: NanoCore 0x2d07a:$a: NanoCore 0x2d0af:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2ce21:$b: ClientPlugin 0x2ce3c:$b: ClientPlugin
33.2.dhcpmon.exe.3a195e6.2.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0xe75:$a1: NanoCore.ClientPluginHost 0x145e3:$a1: NanoCore.ClientPluginHost 0x2d0af:$a1: NanoCore.ClientPluginHost 0xe38:$a2: NanoCore.ClientPlugin 0x145ae:$a2: NanoCore.ClientPlugin 0x2d07a:$a2: NanoCore.ClientPlugin 0x120c:$b1: get_BuilderSettings 0x19529:$b1: get_BuilderSettings 0x31ff5:$b1: get_BuilderSettings 0xec3:$b4: IClientAppHost 0x127d:$b6: AddHostEntry 0x12ec:$b7: LogClientException 0x19498:$b7: LogClientException 0x31f64:$b7: LogClientException 0x1261:$b8: PipeExists 0xeb0:$b9: IClientLoggingHost 0x145fd:$b9: IClientLoggingHost 0x2d0c9:$b9: IClientLoggingHost
19.2.JUNE STUB.EXE.441f6f8.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
19.2.JUNE STUB.EXE.441f6f8.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth (Nextron Systems)	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
19.2.JUNE STUB.EXE.441f6f8.5.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1d3b2:$x2: NanoCore.ClientPlugin 0x1d3db:$x3: NanoCore.ClientPluginHost 0x1d3a3:$i3: IClientNetwork 0x1d3c8:$i6: IClientLoggingHost 0x1d3f5:$i7: IClientNetworkHost 0x1d408:$i8: IClientUIHost 0x1d112:$s1: ClientPlugin 0x1d3bb:$s1: ClientPlugin
19.2.JUNE STUB.EXE.441f6f8.5.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1d3db:$a1: NanoCore.ClientPluginHost 0x1d3b2:$a2: NanoCore.ClientPlugin 0x22406:$b7: LogClientException 0x1d3c8:$b9: IClientLoggingHost
19.2.JUNE STUB.EXE.3430124.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d17:$x1: NanoCore.ClientPluginHost 0x1fb6f:$x1: NanoCore.ClientPluginHost 0x27a9d:$x1: NanoCore.ClientPluginHost 0x2da78:$x1: NanoCore.ClientPluginHost 0x35513:$x1: NanoCore.ClientPluginHost 0x404fd:$x1: NanoCore.ClientPluginHost 0x4c2ab:$x1: NanoCore.ClientPluginHost 0x57ffe:$x1: NanoCore.ClientPluginHost 0x686df:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d50:$x2: IClientNetworkHost 0x1fba8:$x2: IClientNetworkHost 0x27ad6:$x2: IClientNetworkHost 0x3554c:$x2: IClientNetworkHost 0x40517:$x2: IClientNetworkHost 0x4c2c5:$x2: IClientNetworkHost 0x5803b:$x2: IClientNetworkHost 0x6883c:$x2: IClientNetworkHost
19.2.JUNE STUB.EXE.3430124.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x8b7f:$x2: NanoCore.ClientPlugin 0x15d93:$x2: NanoCore.ClientPlugin 0x1fbeb:$x2: NanoCore.ClientPlugin 0x27b17:$x2: NanoCore.ClientPlugin 0x2dac2:$x2: NanoCore.ClientPlugin 0x355b3:$x2: NanoCore.ClientPlugin 0x404d4:$x2: NanoCore.ClientPlugin 0x4c282:$x2: NanoCore.ClientPlugin 0x57fd9:$x2: NanoCore.ClientPlugin 0x687c9:$x2: NanoCore.ClientPlugin 0x8ba5:$x3: NanoCore.ClientPluginHost 0x15d17:$x3: NanoCore.ClientPluginHost 0x1fb6f:$x3: NanoCore.ClientPluginHost 0x27a9d:$x3: NanoCore.ClientPluginHost 0x2da78:$x3: NanoCore.ClientPluginHost 0x35513:$x3: NanoCore.ClientPluginHost 0x404fd:$x3: NanoCore.ClientPluginHost 0x4c2ab:$x3: NanoCore.ClientPluginHost 0x57ffe:$x3: NanoCore.ClientPluginHost 0x686df:$x3: NanoCore.ClientPluginHost 0x8b70:$i3: IClientNetwork
19.2.JUNE STUB.EXE.3430124.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a5f:$a: NanoCore 0x15ab8:$a: NanoCore 0x15aeb:$a: NanoCore 0x15d17:$a: NanoCore 0x15d93:$a: NanoCore 0x163ac:$a: NanoCore 0x164f5:$a: NanoCore 0x169c9:$a: NanoCore 0x16cb0:$a: NanoCore 0x16cc7:$a: NanoCore 0x1fb6f:$a: NanoCore 0x1fbeb:$a: NanoCore 0x224ce:$a: NanoCore 0x27a9d:$a: NanoCore 0x27b17:$a: NanoCore 0x2da78:$a: NanoCore 0x2dac2:$a: NanoCore 0x2e71c:$a: NanoCore
19.2.JUNE STUB.EXE.3430124.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x8ba5:$a1: NanoCore.ClientPluginHost 0x15d17:$a1: NanoCore.ClientPluginHost 0x1fb6f:$a1: NanoCore.ClientPluginHost 0x27a9d:$a1: NanoCore.ClientPluginHost 0x2da78:$a1: NanoCore.ClientPluginHost 0x35513:$a1: NanoCore.ClientPluginHost 0x404fd:$a1: NanoCore.ClientPluginHost 0x4c2ab:$a1: NanoCore.ClientPluginHost 0x57ffe:$a1: NanoCore.ClientPluginHost 0x686df:$a1: NanoCore.ClientPluginHost 0x8b7f:$a2: NanoCore.ClientPlugin 0x15d93:$a2: NanoCore.ClientPlugin 0x1fbeb:$a2: NanoCore.ClientPlugin 0x27b17:$a2: NanoCore.ClientPlugin 0x2dac2:$a2: NanoCore.ClientPlugin 0x355b3:$a2: NanoCore.ClientPlugin 0x404d4:$a2: NanoCore.ClientPlugin 0x4c282:$a2: NanoCore.ClientPlugin 0x57fd9:$a2: NanoCore.ClientPlugin 0x687c9:$a2: NanoCore.ClientPlugin 0x57fef:$b4: IClientAppHost
21.2.msdcsc.exe.4126b74.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
21.2.msdcsc.exe.4126b74.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.2.msdcsc.exe.4126b74.5.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
21.2.msdcsc.exe.4126b74.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x3dac2:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q
21.2.msdcsc.exe.4126b74.5.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
19.2.JUNE STUB.EXE.3423ee4.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x4bbb:$x1: NanoCore.ClientPluginHost 0x14de5:$x1: NanoCore.ClientPluginHost 0x21f57:$x1: NanoCore.ClientPluginHost 0x2bdaf:$x1: NanoCore.ClientPluginHost 0x33cdd:$x1: NanoCore.ClientPluginHost 0x39cb8:$x1: NanoCore.ClientPluginHost 0x41753:$x1: NanoCore.ClientPluginHost 0x4c73d:$x1: NanoCore.ClientPluginHost 0x584eb:$x1: NanoCore.ClientPluginHost 0x6423e:$x1: NanoCore.ClientPluginHost 0x7491f:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x14e12:$x2: IClientNetworkHost 0x21f90:$x2: IClientNetworkHost 0x2bde8:$x2: IClientNetworkHost 0x33d16:$x2: IClientNetworkHost 0x4178c:$x2: IClientNetworkHost 0x4c757:$x2: IClientNetworkHost 0x58505:$x2: IClientNetworkHost 0x6427b:$x2: IClientNetworkHost 0x74a7c:$x2: IClientNetworkHost
19.2.JUNE STUB.EXE.3423ee4.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x4b96:$x2: NanoCore.ClientPlugin 0x14dbf:$x2: NanoCore.ClientPlugin 0x21fd3:$x2: NanoCore.ClientPlugin 0x2be2b:$x2: NanoCore.ClientPlugin 0x33d57:$x2: NanoCore.ClientPlugin 0x39d02:$x2: NanoCore.ClientPlugin 0x417f3:$x2: NanoCore.ClientPlugin 0x4c714:$x2: NanoCore.ClientPlugin 0x584c2:$x2: NanoCore.ClientPlugin 0x64219:$x2: NanoCore.ClientPlugin 0x74a09:$x2: NanoCore.ClientPlugin 0x4bbb:$x3: NanoCore.ClientPluginHost 0x14de5:$x3: NanoCore.ClientPluginHost 0x21f57:$x3: NanoCore.ClientPluginHost 0x2bdaf:$x3: NanoCore.ClientPluginHost 0x33cdd:$x3: NanoCore.ClientPluginHost 0x39cb8:$x3: NanoCore.ClientPluginHost 0x41753:$x3: NanoCore.ClientPluginHost 0x4c73d:$x3: NanoCore.ClientPluginHost 0x584eb:$x3: NanoCore.ClientPluginHost 0x6423e:$x3: NanoCore.ClientPluginHost
19.2.JUNE STUB.EXE.3423ee4.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14dbf:$a: NanoCore 0x14de5:$a: NanoCore 0x14e41:$a: NanoCore 0x21c9f:$a: NanoCore 0x21cf8:$a: NanoCore 0x21d2b:$a: NanoCore 0x21f57:$a: NanoCore 0x21fd3:$a: NanoCore 0x225ec:$a: NanoCore 0x22735:$a: NanoCore 0x22c09:$a: NanoCore 0x22ef0:$a: NanoCore 0x22f07:$a: NanoCore 0x2bdaf:$a: NanoCore 0x2be2b:$a: NanoCore 0x2e70e:$a: NanoCore 0x33cdd:$a: NanoCore 0x33d57:$a: NanoCore
19.2.JUNE STUB.EXE.3423ee4.1.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x4bbb:$a1: NanoCore.ClientPluginHost 0x14de5:$a1: NanoCore.ClientPluginHost 0x21f57:$a1: NanoCore.ClientPluginHost 0x2bdaf:$a1: NanoCore.ClientPluginHost 0x33cdd:$a1: NanoCore.ClientPluginHost 0x39cb8:$a1: NanoCore.ClientPluginHost 0x41753:$a1: NanoCore.ClientPluginHost 0x4c73d:$a1: NanoCore.ClientPluginHost 0x584eb:$a1: NanoCore.ClientPluginHost 0x6423e:$a1: NanoCore.ClientPluginHost 0x7491f:$a1: NanoCore.ClientPluginHost 0x4b96:$a2: NanoCore.ClientPlugin 0x14dbf:$a2: NanoCore.ClientPlugin 0x21fd3:$a2: NanoCore.ClientPlugin 0x2be2b:$a2: NanoCore.ClientPlugin 0x33d57:$a2: NanoCore.ClientPlugin 0x39d02:$a2: NanoCore.ClientPlugin 0x417f3:$a2: NanoCore.ClientPlugin 0x4c714:$a2: NanoCore.ClientPlugin 0x584c2:$a2: NanoCore.ClientPlugin 0x64219:$a2: NanoCore.ClientPlugin
0.2.A1DB2JVWGG.CNT.exe.4886c28.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1d7df9:$x1: NanoCore.ClientPluginHost 0x2a4639:$x1: NanoCore.ClientPluginHost 0x1d7e36:$x2: IClientNetworkHost 0x2a4676:$x2: IClientNetworkHost 0x1db969:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2a81a9:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.A1DB2JVWGG.CNT.exe.4886c28.3.raw.unpack	Malware_QA_update	VT Research QA uploaded malware - file update.exe	Florian Roth (Nextron Systems)	0x1a3f44:$x1: UnActiveOfflineKeylogger 0x282f64:$x1: UnActiveOfflineKeylogger 0x1ab04c:$x2: BTRESULTDownload File\|Mass Download : File Downloaded , Executing new one in temp dir...\| 0x28a06c:$x2: BTRESULTDownload File\|Mass Download : File Downloaded , Executing new one in temp dir...\| 0x1a3ea8:$x3: ActiveOnlineKeylogger 0x282ec8:$x3: ActiveOnlineKeylogger 0x1a4754:$x6: BTRESULTUpdate from URL\|Update : File Downloaded , Executing new one in temp dir...\| 0x283774:$x6: BTRESULTUpdate from URL\|Update : File Downloaded , Executing new one in temp dir...\| 0x205f80:$s1: MSRSAAP.EXE 0x2d27c0:$s1: MSRSAAP.EXE 0x1a45e5:$s2: Command successfully executed!\| 0x283605:$s2: Command successfully executed!\| 0x18bfb8:$s3: BTMemoryLoadLibary: Get DLLEntyPoint failed 0x26afd8:$s3: BTMemoryLoadLibary: Get DLLEntyPoint failed 0x199048:$s4: I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer! 0x278068:$s4: I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer! 0x199d04:$s5: \Internet Explorer\iexplore.exe 0x278d24:$s5: \Internet Explorer\iexplore.exe 0x1a3730:$s6: ping 127.0.0.1 -n 4 > NUL && " 0x282750:$s6: ping 127.0.0.1 -n 4 > NUL && " 0x18c1a4:$s7: BTMemoryGetProcAddress: DLL doesn't export anything
0.2.A1DB2JVWGG.CNT.exe.4886c28.3.raw.unpack	RAT_DarkComet	Detects DarkComet RAT	Kevin Breen <kevin@techanarchy.net>	0x1a46cc:$a1: #BOT#URLUpdate 0x2836ec:$a1: #BOT#URLUpdate 0x1a45e5:$a2: Command successfully executed! 0x283605:$a2: Command successfully executed! 0x127628:$b1: FastMM Borland Edition 0x206648:$b1: FastMM Borland Edition 0x15216c:$b2: %s, ClassID: %s 0x23118c:$b2: %s, ClassID: %s 0x199048:$b3: I wasn't able to open the hosts file 0x278068:$b3: I wasn't able to open the hosts file 0x1a44d0:$b4: #BOT#VisitUrl 0x2834f0:$b4: #BOT#VisitUrl 0x1933e0:$b5: #KCMDDC 0x272400:$b5: #KCMDDC
0.2.A1DB2JVWGG.CNT.exe.4886c28.3.raw.unpack	JoeSecurity_DarkCometRat	Yara detected DarkComet	Kevin Breen <kevin@techanarchy.net>
0.2.A1DB2JVWGG.CNT.exe.4886c28.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.A1DB2JVWGG.CNT.exe.4886c28.3.raw.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
0.2.A1DB2JVWGG.CNT.exe.4886c28.3.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0.2.A1DB2JVWGG.CNT.exe.4886c28.3.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1d7b61:$x1: NanoCore Client 0x1d7b71:$x1: NanoCore Client 0x2a43a1:$x1: NanoCore Client 0x2a43b1:$x1: NanoCore Client 0x1d7db9:$x2: NanoCore.ClientPlugin 0x2a45f9:$x2: NanoCore.ClientPlugin 0x1d7df9:$x3: NanoCore.ClientPluginHost 0x2a4639:$x3: NanoCore.ClientPluginHost 0x1d7dae:$i1: IClientApp 0x2a45ee:$i1: IClientApp 0x1d7dcf:$i2: IClientData 0x2a460f:$i2: IClientData 0x1d7ddb:$i3: IClientNetwork 0x2a461b:$i3: IClientNetwork 0x1d7dea:$i4: IClientAppHost 0x2a462a:$i4: IClientAppHost 0x1d7e13:$i5: IClientDataHost 0x2a4653:$i5: IClientDataHost 0x1d7e23:$i6: IClientLoggingHost 0x2a4663:$i6: IClientLoggingHost 0x1d7e36:$i7: IClientNetworkHost
0.2.A1DB2JVWGG.CNT.exe.4886c28.3.raw.unpack	MALWARE_Win_DarkComet	Detects DarkComet	ditekSHen	0x15216c:$s1: %s, ClassID: %s 0x23118c:$s1: %s, ClassID: %s 0x152438:$s2: %s, ProgID: "%s" 0x231458:$s2: %s, ProgID: "%s" 0x1933e0:$s3: #KCMDDC51# 0x272400:$s3: #KCMDDC51# 0x1a44d0:$s4: #BOT#VisitUrl 0x2834f0:$s4: #BOT#VisitUrl 0x1a44e8:$s5: #BOT#OpenUrl 0x283508:$s5: #BOT#OpenUrl 0x1a4564:$s6: #BOT#Ping 0x283584:$s6: #BOT#Ping 0x1a45ac:$s7: #BOT#RunPrompt 0x2835cc:$s7: #BOT#RunPrompt 0x1a4610:$s8: #BOT#CloseServer 0x283630:$s8: #BOT#CloseServer 0x1a466c:$s9: #BOT#SvrUninstall 0x28368c:$s9: #BOT#SvrUninstall 0x1a46cc:$s10: #BOT#URLUpdate 0x2836ec:$s10: #BOT#URLUpdate 0x1a47b4:$s11: #BOT#URLDownload
0.2.A1DB2JVWGG.CNT.exe.4886c28.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1d7b61:$a: NanoCore 0x1d7b71:$a: NanoCore 0x1d7da5:$a: NanoCore 0x1d7db9:$a: NanoCore 0x1d7df9:$a: NanoCore 0x2a43a1:$a: NanoCore 0x2a43b1:$a: NanoCore 0x2a45e5:$a: NanoCore 0x2a45f9:$a: NanoCore 0x2a4639:$a: NanoCore 0x1d7bc0:$b: ClientPlugin 0x1d7dc2:$b: ClientPlugin 0x1d7e02:$b: ClientPlugin 0x2a4400:$b: ClientPlugin 0x2a4602:$b: ClientPlugin 0x2a4642:$b: ClientPlugin 0x1d7ce7:$c: ProjectData 0x2a4527:$c: ProjectData 0x1d86ee:$d: DESCrypto 0x2a4f2e:$d: DESCrypto 0x1ac58a:$e: KeepAlive
0.2.A1DB2JVWGG.CNT.exe.4886c28.3.raw.unpack	DarkComet_1	DarkComet RAT	botherder https://github.com/botherder	0x1a44e8:$bot1: #BOT#OpenUrl 0x283508:$bot1: #BOT#OpenUrl 0x1a4564:$bot2: #BOT#Ping 0x283584:$bot2: #BOT#Ping 0x1a45ac:$bot3: #BOT#RunPrompt 0x2835cc:$bot3: #BOT#RunPrompt 0x1a466c:$bot4: #BOT#SvrUninstall 0x28368c:$bot4: #BOT#SvrUninstall 0x1a47b4:$bot5: #BOT#URLDownload 0x2837d4:$bot5: #BOT#URLDownload 0x1a46cc:$bot6: #BOT#URLUpdate 0x2836ec:$bot6: #BOT#URLUpdate 0x1a44d0:$bot7: #BOT#VisitUrl 0x2834f0:$bot7: #BOT#VisitUrl 0x1a4610:$bot8: #BOT#CloseServer 0x283630:$bot8: #BOT#CloseServer 0x1a4858:$ddos1: DDOSHTTPFLOOD 0x283878:$ddos1: DDOSHTTPFLOOD 0x1a4870:$ddos2: DDOSSYNFLOOD 0x283890:$ddos2: DDOSSYNFLOOD 0x1a4888:$ddos3: DDOSUDPFLOOD
0.2.A1DB2JVWGG.CNT.exe.4886c28.3.raw.unpack	DarkComet_3	unknown	Kevin Breen <kevin@techanarchy.net>	0x1a46cc:$a1: #BOT#URLUpdate 0x2836ec:$a1: #BOT#URLUpdate 0x1a45e5:$a2: Command successfully executed! 0x283605:$a2: Command successfully executed! 0x127628:$b1: FastMM Borland Edition 0x206648:$b1: FastMM Borland Edition 0x15216c:$b2: %s, ClassID: %s 0x23118c:$b2: %s, ClassID: %s 0x199048:$b3: I wasn't able to open the hosts file 0x278068:$b3: I wasn't able to open the hosts file 0x1a44d0:$b4: #BOT#VisitUrl 0x2834f0:$b4: #BOT#VisitUrl 0x1933e0:$b5: #KCMDDC 0x272400:$b5: #KCMDDC
0.2.A1DB2JVWGG.CNT.exe.4886c28.3.raw.unpack	DarkComet_4	unknown	unknown	0x1a44d0:$a1: #BOT# 0x1a44e8:$a1: #BOT# 0x1a4564:$a1: #BOT# 0x1a45ac:$a1: #BOT# 0x1a4610:$a1: #BOT# 0x1a466c:$a1: #BOT# 0x1a46cc:$a1: #BOT# 0x1a47b4:$a1: #BOT# 0x2834f0:$a1: #BOT# 0x283508:$a1: #BOT# 0x283584:$a1: #BOT# 0x2835cc:$a1: #BOT# 0x283630:$a1: #BOT# 0x28368c:$a1: #BOT# 0x2836ec:$a1: #BOT# 0x2837d4:$a1: #BOT# 0x1a4bec:$a2: WEBCAMSTOP 0x283c0c:$a2: WEBCAMSTOP 0x1a3f88:$a3: UnActiveOnlineKeyStrokes 0x282fa8:$a3: UnActiveOnlineKeyStrokes 0x1a4438:$a4: #SendTaskMgr
0.2.A1DB2JVWGG.CNT.exe.4886c28.3.raw.unpack	Windows_Trojan_Darkcomet_1df27bcc	unknown	unknown	0x1a9bdc:$a1: BTRESULTHTTP Flood\|Http Flood task finished!\| 0x288bfc:$a1: BTRESULTHTTP Flood\|Http Flood task finished!\| 0x1a454d:$a2: is now open!\| 0x28356d:$a2: is now open!\| 0x1a3ea8:$a3: ActiveOnlineKeylogger 0x282ec8:$a3: ActiveOnlineKeylogger 0x1a45ac:$a4: #BOT#RunPrompt 0x2835cc:$a4: #BOT#RunPrompt 0x1a3654:$a5: GETMONITORS 0x282674:$a5: GETMONITORS
0.2.A1DB2JVWGG.CNT.exe.4886c28.3.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1d7df9:$a1: NanoCore.ClientPluginHost 0x2a4639:$a1: NanoCore.ClientPluginHost 0x1d7db9:$a2: NanoCore.ClientPlugin 0x2a45f9:$a2: NanoCore.ClientPlugin 0x1d9d12:$b1: get_BuilderSettings 0x2a6552:$b1: get_BuilderSettings 0x1d7c15:$b2: ClientLoaderForm.resources 0x2a4455:$b2: ClientLoaderForm.resources 0x1d9432:$b3: PluginCommand 0x2a5c72:$b3: PluginCommand 0x1d7dea:$b4: IClientAppHost 0x2a462a:$b4: IClientAppHost 0x1e226a:$b5: GetBlockHash 0x2aeaaa:$b5: GetBlockHash 0x1da36a:$b6: AddHostEntry 0x2a6baa:$b6: AddHostEntry 0x1de05d:$b7: LogClientException 0x2aa89d:$b7: LogClientException 0x1da2d7:$b8: PipeExists 0x2a6b17:$b8: PipeExists 0x1d7e23:$b9: IClientLoggingHost
0.2.A1DB2JVWGG.CNT.exe.41a691c.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth (Nextron Systems)	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.A1DB2JVWGG.CNT.exe.41a691c.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.A1DB2JVWGG.CNT.exe.41a691c.6.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
0.2.A1DB2JVWGG.CNT.exe.41a691c.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x35ce6a:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x3dac2:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q
0.2.A1DB2JVWGG.CNT.exe.41a691c.6.raw.unpack	Windows_Trojan_Nanocore_d8c4e3c5	unknown	unknown	0x1018d:$a1: NanoCore.ClientPluginHost 0x1014d:$a2: NanoCore.ClientPlugin 0x120a6:$b1: get_BuilderSettings 0xffa9:$b2: ClientLoaderForm.resources 0x117c6:$b3: PluginCommand 0x1017e:$b4: IClientAppHost 0x1a5fe:$b5: GetBlockHash 0x126fe:$b6: AddHostEntry 0x163f1:$b7: LogClientException 0x1266b:$b8: PipeExists 0x101b7:$b9: IClientLoggingHost
Click to see the 344 entries

Sigma Signatures

AV Detection

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE, ProcessId: 8176, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud

Sigma detected: NanoCore

Source: File created

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXayEzy" /XML "C:\Users\user\AppData\Local\Temp\tmp12D0.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXayEzy" /XML "C:\Users\user\AppData\Local\Temp\tmp12D0.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe, ParentImage: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe, ParentProcessId: 7460, ParentProcessName: A1DB2JVWGG.CNT.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXayEzy" /XML "C:\Users\user\AppData\Local\Temp\tmp12D0.tmp, ProcessId: 7660, ProcessName: schtasks.exe

Stealing of Sensitive Information

Sigma detected: NanoCore

Source: File created

Remote Access Functionality

Sigma detected: NanoCore

Source: File created

Snort Signatures

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 5.252.165.230

Timestamp:	192.168.2.35.252.165.23049702282892025019 06/02/23-02:26:44.385767
SID:	2025019
Source Port:	49702
Destination Port:	28289
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN DarkComet-RAT init connection 2 - Source IP: 5.252.165.230 - Destination IP: 192.168.2.3

Timestamp:	5.252.165.230192.168.2.339399497042806577 06/02/23-02:27:01.218517
SID:	2806577
Source Port:	39399
Destination Port:	49704
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 5.252.165.230

Timestamp:	192.168.2.35.252.165.23049711282892025019 06/02/23-02:27:54.203652
SID:	2025019
Source Port:	49711
Destination Port:	28289
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 5.252.165.230

Timestamp:	192.168.2.35.252.165.23049713282892025019 06/02/23-02:28:03.961219
SID:	2025019
Source Port:	49713
Destination Port:	28289
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 5.252.165.230

Timestamp:	192.168.2.35.252.165.23049705282892025019 06/02/23-02:27:16.433852
SID:	2025019
Source Port:	49705
Destination Port:	28289
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 5.252.165.230

Timestamp:	192.168.2.35.252.165.23049712282892025019 06/02/23-02:27:59.459924
SID:	2025019
Source Port:	49712
Destination Port:	28289
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 5.252.165.230

Timestamp:	192.168.2.35.252.165.23049716282892025019 06/02/23-02:28:22.359438
SID:	2025019
Source Port:	49716
Destination Port:	28289
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 5.252.165.230

Timestamp:	192.168.2.35.252.165.23049706282892025019 06/02/23-02:27:24.140871
SID:	2025019
Source Port:	49706
Destination Port:	28289
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 5.252.165.230

Timestamp:	192.168.2.35.252.165.23049708282892025019 06/02/23-02:27:35.526983
SID:	2025019
Source Port:	49708
Destination Port:	28289
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 5.252.165.230

Timestamp:	192.168.2.35.252.165.23049707282892025019 06/02/23-02:27:28.447502
SID:	2025019
Source Port:	49707
Destination Port:	28289
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon - Source IP: 192.168.2.3 - Destination IP: 5.252.165.230

Timestamp:	192.168.2.35.252.165.23049713282892816718 06/02/23-02:28:05.016410
SID:	2816718
Source Port:	49713
Destination Port:	28289
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon - Source IP: 192.168.2.3 - Destination IP: 5.252.165.230

Timestamp:	192.168.2.35.252.165.23049702282892816718 06/02/23-02:26:45.935768
SID:	2816718
Source Port:	49702
Destination Port:	28289
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 5.252.165.230

Timestamp:	192.168.2.35.252.165.23049710282892025019 06/02/23-02:27:47.888873
SID:	2025019
Source Port:	49710
Destination Port:	28289
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 5.252.165.230

Timestamp:	192.168.2.35.252.165.23049708282892816766 06/02/23-02:27:36.099395
SID:	2816766
Source Port:	49708
Destination Port:	28289
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 5.252.165.230

Timestamp:	192.168.2.35.252.165.23049707282892816766 06/02/23-02:27:29.300655
SID:	2816766
Source Port:	49707
Destination Port:	28289
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 5.252.165.230

Timestamp:	192.168.2.35.252.165.23049709282892816766 06/02/23-02:27:43.508322
SID:	2816766
Source Port:	49709
Destination Port:	28289
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 5.252.165.230

Timestamp:	192.168.2.35.252.165.23049706282892816766 06/02/23-02:27:24.211225
SID:	2816766
Source Port:	49706
Destination Port:	28289
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 5.252.165.230

Timestamp:	192.168.2.35.252.165.23049716282892816766 06/02/23-02:28:25.005929
SID:	2816766
Source Port:	49716
Destination Port:	28289
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 5.252.165.230

Timestamp:	192.168.2.35.252.165.23049709282892025019 06/02/23-02:27:41.004326
SID:	2025019
Source Port:	49709
Destination Port:	28289
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN DarkComet-RAT server join acknowledgement 2 - Source IP: 192.168.2.3 - Destination IP: 5.252.165.230

Timestamp:	192.168.2.35.252.165.23049704393992806578 06/02/23-02:27:01.218732
SID:	2806578
Source Port:	49704
Destination Port:	39399
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN DarkComet-RAT activity - Source IP: 192.168.2.3 - Destination IP: 5.252.165.230

Timestamp:	192.168.2.35.252.165.23049704393992807821 06/02/23-02:28:23.003919
SID:	2807821
Source Port:	49704
Destination Port:	39399
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 5.252.165.230

Timestamp:	192.168.2.35.252.165.23049710282892816766 06/02/23-02:27:48.244529
SID:	2816766
Source Port:	49710
Destination Port:	28289
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 5.252.165.230

Timestamp:	192.168.2.35.252.165.23049711282892816766 06/02/23-02:27:54.312190
SID:	2816766
Source Port:	49711
Destination Port:	28289
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 5.252.165.230 - Destination IP: 192.168.2.3

Timestamp:	5.252.165.230192.168.2.328289497142841753 06/02/23-02:28:11.405336
SID:	2841753
Source Port:	28289
Destination Port:	49714
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 5.252.165.230

Timestamp:	192.168.2.35.252.165.23049702282892816766 06/02/23-02:26:46.881522
SID:	2816766
Source Port:	49702
Destination Port:	28289
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 5.252.165.230

Timestamp:	192.168.2.35.252.165.23049712282892816766 06/02/23-02:27:59.647498
SID:	2816766
Source Port:	49712
Destination Port:	28289
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 5.252.165.230

Timestamp:	192.168.2.35.252.165.23049713282892816766 06/02/23-02:28:06.982149
SID:	2816766
Source Port:	49713
Destination Port:	28289
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keepalive Response 1 - Source IP: 5.252.165.230 - Destination IP: 192.168.2.3

Timestamp:	5.252.165.230192.168.2.328289497062810290 06/02/23-02:27:24.236176
SID:	2810290
Source Port:	28289
Destination Port:	49706
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 5.252.165.230 - Destination IP: 192.168.2.3

Timestamp:	5.252.165.230192.168.2.328289497032841753 06/02/23-02:27:02.943535
SID:	2841753
Source Port:	28289
Destination Port:	49703
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 5.252.165.230

Timestamp:	192.168.2.35.252.165.23049714282892816766 06/02/23-02:28:11.424790
SID:	2816766
Source Port:	49714
Destination Port:	28289
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 5.252.165.230

Timestamp:	192.168.2.35.252.165.23049715282892816766 06/02/23-02:28:17.957593
SID:	2816766
Source Port:	49715
Destination Port:	28289
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 5.252.165.230

Timestamp:	192.168.2.35.252.165.23049703282892816766 06/02/23-02:27:05.840215
SID:	2816766
Source Port:	49703
Destination Port:	28289
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 5.252.165.230

Timestamp:	192.168.2.35.252.165.23049705282892816766 06/02/23-02:27:18.414247
SID:	2816766
Source Port:	49705
Destination Port:	28289
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 5.252.165.230 - Destination IP: 192.168.2.3

Timestamp:	5.252.165.230192.168.2.328289497122841753 06/02/23-02:27:59.490400
SID:	2841753
Source Port:	28289
Destination Port:	49712
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 5.252.165.230 - Destination IP: 192.168.2.3

Timestamp:	5.252.165.230192.168.2.328289497102841753 06/02/23-02:27:47.915148
SID:	2841753
Source Port:	28289
Destination Port:	49710
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 5.252.165.230 - Destination IP: 192.168.2.3

Timestamp:	5.252.165.230192.168.2.328289497112841753 06/02/23-02:27:54.245563
SID:	2841753
Source Port:	28289
Destination Port:	49711
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 5.252.165.230 - Destination IP: 192.168.2.3

Timestamp:	5.252.165.230192.168.2.328289497062841753 06/02/23-02:27:24.193892
SID:	2841753
Source Port:	28289
Destination Port:	49706
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 5.252.165.230 - Destination IP: 192.168.2.3

Timestamp:	5.252.165.230192.168.2.328289497072841753 06/02/23-02:27:28.477912
SID:	2841753
Source Port:	28289
Destination Port:	49707
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 5.252.165.230 - Destination IP: 192.168.2.3

Timestamp:	5.252.165.230192.168.2.328289497082841753 06/02/23-02:27:35.555003
SID:	2841753
Source Port:	28289
Destination Port:	49708
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 5.252.165.230

Timestamp:	192.168.2.35.252.165.23049715282892025019 06/02/23-02:28:16.130201
SID:	2025019
Source Port:	49715
Destination Port:	28289
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 5.252.165.230

Timestamp:	192.168.2.35.252.165.23049703282892025019 06/02/23-02:26:52.916534
SID:	2025019
Source Port:	49703
Destination Port:	28289
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 5.252.165.230

Timestamp:	192.168.2.35.252.165.23049714282892025019 06/02/23-02:28:11.375206
SID:	2025019
Source Port:	49714
Destination Port:	28289
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: timmy06.ddns.net	Avira URL Cloud: Label: malware
Source: timmy08.ddns.net	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Avira: detection malicious, Label: TR/Dropper.MSIL.Gen7
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Avira: detection malicious, Label: TR/Dropper.MSIL.Gen7

Yara detected Nanocore RAT

Source: Yara match	File source: 22.2.msdcsc.exe.504a4f4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3a22a45.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3a1e41c.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.JUNE STUB.EXE.5d10000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.msdcsc.exe.4b4dcb4.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.A1DB2JVWGG.CNT.exe.4b1b0d4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.A1DB2JVWGG.CNT.exe.4b1b0d4.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.msdcsc.exe.4126b74.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.msdcsc.exe.4b4dcb4.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3a1e41c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.JUNE STUB.EXE.5d14629.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.A1DB2JVWGG.CNT.exe.4ad84c.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.JUNE STUB.EXE.cc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.A1DB2JVWGG.CNT.exe.41a691c.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.JUNE STUB.EXE.5d10000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.A1DB2JVWGG.CNT.exe.4ad84c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.msdcsc.exe.504a4f4.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3a195e6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.msdcsc.exe.4126b74.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.A1DB2JVWGG.CNT.exe.4886c28.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.A1DB2JVWGG.CNT.exe.41a691c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000021.00000002.456486839.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.459239135.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.391419117.0000000000CC2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.637176007.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.470317430.0000000004126000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.454672045.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.397292430.00000000004A4000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.486347814.0000000005049000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JUNE STUB.EXE PID: 8176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: msdcsc.exe PID: 5860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: msdcsc.exe PID: 7264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JUNE STUB.EXE PID: 8152, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED

Found malware configuration

Source: 00000021.00000002.456486839.00000000039D1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "29684d78-e3d5-43d3-a123-9a499c31", "Group": "JUNE 2023", "Domain1": "timmy08.ddns.net", "Domain2": "timmy06.ddns.net", "Port": 28289, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
Source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack	Malware Configuration Extractor: DarkComet {"MUTEX": "DC_MUTEX-75NC51J", "SID": "JUNE 2023", "FWB": "0", "NETDATA": ["timmy08.ddns.net:39399"], "GENCODE": "l2V3BCJaaFmA", "INSTALL": "1", "COMBOPATH": "7", "EDTPATH": "MSDCSC\\msdcsc.exe", "KEYNAME": "chrome", "EDTDATE": "16/04/2007", "PERSINST": "1", "MELT": "1", "CHANGEDATE": "0", "DIRATTRIB": "6", "FILEATTRIB": "6", "SH1": "1", "SH3": "1", "SH7": "1", "SH8": "1", "SH9": "1", "CHIDEF": "1", "CHIDED": "1", "PERS": "1", "OFFLINEK": "1", "BIND": "1", "MULTIBIND": "1"}

Multi AV Scanner detection for submitted file

Source: A1DB2JVWGG.CNT.exe	ReversingLabs: Detection: 21%
Source: A1DB2JVWGG.CNT.exe	Virustotal: Detection: 29%			Perma Link

Multi AV Scanner detection for domain / URL

Source: timmy08.ddns.net	Virustotal: Detection: 13%			Perma Link
Source: timmy08.ddns.net	Virustotal: Detection: 13%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	ReversingLabs: Detection: 27%
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	ReversingLabs: Detection: 27%

Machine Learning detection for sample

Source: A1DB2JVWGG.CNT.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	Joe Sandbox ML: detected

Source: A1DB2JVWGG.CNT.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source: A1DB2JVWGG.CNT.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: hC:\Windows\System.pdb source: JUNE STUB.EXE, 00000013.00000002.638522361.00000000069BC000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: TIvm.pdbSHA256p source: A1DB2JVWGG.CNT.exe, msdcsc.exe.12.dr, JXayEzy.exe.0.dr
Source:	Binary string: TIvm.pdb source: A1DB2JVWGG.CNT.exe, msdcsc.exe.12.dr, JXayEzy.exe.0.dr
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: JUNE STUB.EXE, 00000013.00000002.639756642.0000000006C60000.00000004.08000000.00040000.00000000.sdmp, JUNE STUB.EXE, 00000013.00000002.625066874.00000000033FB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: JUNE STUB.EXE, 00000013.00000003.487501423.0000000006B70000.00000004.00000020.00020000.00000000.sdmp, JUNE STUB.EXE, 00000013.00000003.483018653.0000000006B6C000.00000004.00000020.00020000.00000000.sdmp, JUNE STUB.EXE, 00000013.00000003.474665549.0000000006B65000.00000004.00000020.00020000.00000000.sdmp, JUNE STUB.EXE, 00000013.00000003.510762326.0000000006B6C000.00000004.00000020.00020000.00000000.sdmp, JUNE STUB.EXE, 00000013.00000003.448971012.0000000006B6E000.00000004.00000020.00020000.00000000.sdmp, JUNE STUB.EXE, 00000013.00000003.506714700.0000000006B71000.00000004.00000020.00020000.00000000.sdmp, JUNE STUB.EXE, 00000013.00000003.497686142.0000000006B6C000.00000004.00000020.00020000.00000000.sdmp, JUNE STUB.EXE, 00000013.00000003.455711807.0000000006B6E000.00000004.00000020.00020000.00000000.sdmp, JUNE STUB.EXE, 00000013.00000003.460528968.0000000006B6E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: JUNE STUB.EXE, 00000013.00000002.625066874.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, JUNE STUB.EXE, 00000013.00000002.640130436.0000000006C90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: JUNE STUB.EXE, 00000013.00000002.625066874.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, JUNE STUB.EXE, 00000013.00000002.640312728.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: JUNE STUB.EXE, 00000013.00000002.625066874.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, JUNE STUB.EXE, 00000013.00000002.639572623.0000000006C40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: indows\System.pdbpdbtem.pdb source: JUNE STUB.EXE, 00000013.00000002.624951060.0000000003055000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdb source: JUNE STUB.EXE, 00000013.00000002.624951060.0000000003055000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: JUNE STUB.EXE, 00000013.00000002.625066874.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, JUNE STUB.EXE, 00000013.00000002.640195396.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: indows\dll\System.pdb source: JUNE STUB.EXE, 00000013.00000002.624951060.0000000003055000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: JUNE STUB.EXE, 00000013.00000002.624951060.0000000003055000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: JUNE STUB.EXE, 00000013.00000002.625066874.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, JUNE STUB.EXE, 00000013.00000002.640048341.0000000006C80000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: JUNE STUB.EXE, 00000013.00000002.624951060.0000000003055000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdb source: JUNE STUB.EXE, 00000013.00000002.624951060.0000000003055000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	File opened: C:\Users\user
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	File opened: C:\Users\user\AppData
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer

Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe

Code function: 4x nop then jmp 0785B403h

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49702 -> 5.252.165.230:28289
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49702 -> 5.252.165.230:28289
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.3:49702 -> 5.252.165.230:28289
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49703 -> 5.252.165.230:28289
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49703 -> 5.252.165.230:28289
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 5.252.165.230:28289 -> 192.168.2.3:49703
Source: Traffic	Snort IDS: 2806577 ETPRO TROJAN DarkComet-RAT init connection 2 5.252.165.230:39399 -> 192.168.2.3:49704
Source: Traffic	Snort IDS: 2806578 ETPRO TROJAN DarkComet-RAT server join acknowledgement 2 192.168.2.3:49704 -> 5.252.165.230:39399
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49705 -> 5.252.165.230:28289
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49705 -> 5.252.165.230:28289
Source: Traffic	Snort IDS: 2807821 ETPRO TROJAN DarkComet-RAT activity 192.168.2.3:49704 -> 5.252.165.230:39399
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49706 -> 5.252.165.230:28289
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 5.252.165.230:28289 -> 192.168.2.3:49706
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49706 -> 5.252.165.230:28289
Source: Traffic	Snort IDS: 2810290 ETPRO TROJAN NanoCore RAT Keepalive Response 1 5.252.165.230:28289 -> 192.168.2.3:49706
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49707 -> 5.252.165.230:28289
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 5.252.165.230:28289 -> 192.168.2.3:49707
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49707 -> 5.252.165.230:28289
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49708 -> 5.252.165.230:28289
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 5.252.165.230:28289 -> 192.168.2.3:49708
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49708 -> 5.252.165.230:28289
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49709 -> 5.252.165.230:28289
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49709 -> 5.252.165.230:28289
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49710 -> 5.252.165.230:28289
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 5.252.165.230:28289 -> 192.168.2.3:49710
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49710 -> 5.252.165.230:28289
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49711 -> 5.252.165.230:28289
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 5.252.165.230:28289 -> 192.168.2.3:49711
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49711 -> 5.252.165.230:28289
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49712 -> 5.252.165.230:28289
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 5.252.165.230:28289 -> 192.168.2.3:49712
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49712 -> 5.252.165.230:28289
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49713 -> 5.252.165.230:28289
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49713 -> 5.252.165.230:28289
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.3:49713 -> 5.252.165.230:28289
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49714 -> 5.252.165.230:28289
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 5.252.165.230:28289 -> 192.168.2.3:49714
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49714 -> 5.252.165.230:28289
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49715 -> 5.252.165.230:28289
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49715 -> 5.252.165.230:28289
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49716 -> 5.252.165.230:28289
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49716 -> 5.252.165.230:28289

Uses dynamic DNS services

Source: unknown

DNS query: name: timmy08.ddns.net

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: timmy06.ddns.net
Source: Malware configuration extractor	URLs: timmy08.ddns.net

Source: Joe Sandbox View

ASN Name: RIXCLOUD-INCUS RIXCLOUD-INCUS

Source: global traffic

TCP traffic: 192.168.2.3:49702 -> 5.252.165.230:28289

Source: A1DB2JVWGG.CNT.exe, 00000000.00000003.358071188.0000000005DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://en.wikip
Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: JUNE STUB.EXE, 00000013.00000002.625066874.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, JUNE STUB.EXE, 00000013.00000002.640195396.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://google.com
Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.392562881.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, msdcsc.exe, 00000015.00000002.442690195.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, msdcsc.exe, 00000016.00000002.475372371.00000000033B7000.00000004.00000800.00020000.00000000.sdmp, msdcsc.exe, 00000024.00000002.512029267.0000000003097000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: A1DB2JVWGG.CNT.exe, 00000000.00000003.358704115.0000000005DB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comtig
Source: A1DB2JVWGG.CNT.exe, 00000000.00000003.358704115.0000000005DB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comto
Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 00000000.00000003.384541193.0000000005DB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: A1DB2JVWGG.CNT.exe, 00000000.00000003.384541193.0000000005DB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comceu3
Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.441627539.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 00000000.00000003.384541193.0000000005DB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: A1DB2JVWGG.CNT.exe, 00000000.00000003.358248155.0000000005DBC000.00000004.00000020.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 00000000.00000003.358336012.0000000005DBC000.00000004.00000020.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: A1DB2JVWGG.CNT.exe, 00000000.00000003.358248155.0000000005DBC000.00000004.00000020.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 00000000.00000003.358336012.0000000005DBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn-
Source: A1DB2JVWGG.CNT.exe, 00000000.00000003.358336012.0000000005DBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/H
Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: A1DB2JVWGG.CNT.exe, 00000000.00000003.358248155.0000000005DBC000.00000004.00000020.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 00000000.00000003.358336012.0000000005DBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn9
Source: A1DB2JVWGG.CNT.exe, 00000000.00000003.358248155.0000000005DBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnK
Source: A1DB2JVWGG.CNT.exe, 00000000.00000003.358248155.0000000005DBC000.00000004.00000020.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 00000000.00000003.358336012.0000000005DBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnU
Source: A1DB2JVWGG.CNT.exe, 00000000.00000003.358248155.0000000005DBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnd
Source: A1DB2JVWGG.CNT.exe, 00000000.00000003.358248155.0000000005DBC000.00000004.00000020.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 00000000.00000003.358336012.0000000005DBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnw
Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: A1DB2JVWGG.CNT.exe, 00000000.00000003.359124042.0000000005DB7000.00000004.00000020.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 00000000.00000003.359247918.0000000005DB7000.00000004.00000020.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: A1DB2JVWGG.CNT.exe, 00000000.00000003.359124042.0000000005DB7000.00000004.00000020.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 00000000.00000003.359247918.0000000005DB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/%
Source: A1DB2JVWGG.CNT.exe, 00000000.00000003.359124042.0000000005DB7000.00000004.00000020.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 00000000.00000003.359247918.0000000005DB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/3
Source: A1DB2JVWGG.CNT.exe, 00000000.00000003.359124042.0000000005DB7000.00000004.00000020.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 00000000.00000003.359247918.0000000005DB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/A
Source: A1DB2JVWGG.CNT.exe, 00000000.00000003.359124042.0000000005DB7000.00000004.00000020.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 00000000.00000003.359247918.0000000005DB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/_
Source: A1DB2JVWGG.CNT.exe, 00000000.00000003.359124042.0000000005DB7000.00000004.00000020.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 00000000.00000003.359247918.0000000005DB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: A1DB2JVWGG.CNT.exe, 00000000.00000003.359124042.0000000005DB7000.00000004.00000020.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 00000000.00000003.359247918.0000000005DB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/H
Source: A1DB2JVWGG.CNT.exe, 00000000.00000003.359124042.0000000005DB7000.00000004.00000020.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 00000000.00000003.359247918.0000000005DB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/m
Source: A1DB2JVWGG.CNT.exe, 00000000.00000003.359124042.0000000005DB7000.00000004.00000020.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 00000000.00000003.359247918.0000000005DB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/r-f
Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown

DNS traffic detected: queries for: timmy08.ddns.net

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Documents\MSDCSC\msdcsc.exe

Source: Yara match	File source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.A1DB2JVWGG.CNT.exe.2f60c98.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.A1DB2JVWGG.CNT.exe.2f2f970.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.A1DB2JVWGG.CNT.exe.4886c28.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.397292430.000000000049D000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.475372371.00000000033B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.442690195.000000000319D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.392562881.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: msdcsc.exe PID: 5860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: msdcsc.exe PID: 7264, type: MEMORYSTR

Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.388355387.00000000011C9000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: JUNE STUB.EXE, 00000013.00000002.637176007.0000000005D10000.00000004.08000000.00040000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 22.2.msdcsc.exe.504a4f4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3a22a45.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3a1e41c.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.JUNE STUB.EXE.5d10000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.msdcsc.exe.4b4dcb4.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.A1DB2JVWGG.CNT.exe.4b1b0d4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.A1DB2JVWGG.CNT.exe.4b1b0d4.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.msdcsc.exe.4126b74.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.msdcsc.exe.4b4dcb4.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3a1e41c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.JUNE STUB.EXE.5d14629.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.A1DB2JVWGG.CNT.exe.4ad84c.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.JUNE STUB.EXE.cc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.A1DB2JVWGG.CNT.exe.41a691c.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.JUNE STUB.EXE.5d10000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.A1DB2JVWGG.CNT.exe.4ad84c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.msdcsc.exe.504a4f4.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3a195e6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.msdcsc.exe.4126b74.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.A1DB2JVWGG.CNT.exe.4886c28.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.A1DB2JVWGG.CNT.exe.41a691c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000021.00000002.456486839.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.459239135.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.391419117.0000000000CC2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.637176007.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.470317430.0000000004126000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.454672045.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.397292430.00000000004A4000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.486347814.0000000005049000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JUNE STUB.EXE PID: 8176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: msdcsc.exe PID: 5860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: msdcsc.exe PID: 7264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JUNE STUB.EXE PID: 8152, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: 19.2.JUNE STUB.EXE.6c40000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.JUNE STUB.EXE.6c40000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.JUNE STUB.EXE.6c40000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.JUNE STUB.EXE.6ce0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.JUNE STUB.EXE.6ce0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.JUNE STUB.EXE.6ce0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.JUNE STUB.EXE.6ca0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.JUNE STUB.EXE.6ca0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.JUNE STUB.EXE.6ca0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.JUNE STUB.EXE.5a80000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.JUNE STUB.EXE.5a80000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.JUNE STUB.EXE.5a80000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.JUNE STUB.EXE.6c80000.18.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.JUNE STUB.EXE.6c80000.18.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.JUNE STUB.EXE.6c80000.18.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 22.2.msdcsc.exe.504a4f4.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 22.2.msdcsc.exe.504a4f4.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 22.2.msdcsc.exe.504a4f4.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.msdcsc.exe.504a4f4.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.JUNE STUB.EXE.6c60000.17.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.JUNE STUB.EXE.6c60000.17.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.JUNE STUB.EXE.6c60000.17.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.JUNE STUB.EXE.6c80000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.JUNE STUB.EXE.6c80000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.JUNE STUB.EXE.6c80000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 34.2.JUNE STUB.EXE.2ef3d9c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 34.2.JUNE STUB.EXE.2ef3d9c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 34.2.JUNE STUB.EXE.2ef3d9c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.JUNE STUB.EXE.6cd0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.JUNE STUB.EXE.6cd0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.JUNE STUB.EXE.6cd0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 33.2.dhcpmon.exe.3a22a45.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 33.2.dhcpmon.exe.3a22a45.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 33.2.dhcpmon.exe.3a22a45.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.JUNE STUB.EXE.3430124.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.JUNE STUB.EXE.3430124.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.JUNE STUB.EXE.3430124.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 33.2.dhcpmon.exe.3a1e41c.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 33.2.dhcpmon.exe.3a1e41c.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 33.2.dhcpmon.exe.3a1e41c.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.JUNE STUB.EXE.6c20000.15.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.JUNE STUB.EXE.6c20000.15.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.JUNE STUB.EXE.6c20000.15.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.JUNE STUB.EXE.5d10000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.JUNE STUB.EXE.5d10000.12.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.JUNE STUB.EXE.5d10000.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 33.2.dhcpmon.exe.29f3dc4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 33.2.dhcpmon.exe.29f3dc4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 33.2.dhcpmon.exe.29f3dc4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.JUNE STUB.EXE.4588b4e.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.JUNE STUB.EXE.4588b4e.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.JUNE STUB.EXE.4588b4e.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.JUNE STUB.EXE.4591d82.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.JUNE STUB.EXE.4591d82.7.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.JUNE STUB.EXE.4591d82.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.JUNE STUB.EXE.6d0e8a4.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.JUNE STUB.EXE.6d0e8a4.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.JUNE STUB.EXE.6d0e8a4.26.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.JUNE STUB.EXE.4596a21.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.JUNE STUB.EXE.4596a21.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.JUNE STUB.EXE.4596a21.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 21.2.msdcsc.exe.4b4dcb4.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 21.2.msdcsc.exe.4b4dcb4.6.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 21.2.msdcsc.exe.4b4dcb4.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.msdcsc.exe.4b4dcb4.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.JUNE STUB.EXE.4591d82.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.JUNE STUB.EXE.4591d82.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.JUNE STUB.EXE.4591d82.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.JUNE STUB.EXE.6c90000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.JUNE STUB.EXE.6c90000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.JUNE STUB.EXE.6c90000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.JUNE STUB.EXE.6ce0000.23.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.JUNE STUB.EXE.6ce0000.23.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.JUNE STUB.EXE.6ce0000.23.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.A1DB2JVWGG.CNT.exe.4b1b0d4.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.A1DB2JVWGG.CNT.exe.4b1b0d4.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.A1DB2JVWGG.CNT.exe.4b1b0d4.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.A1DB2JVWGG.CNT.exe.4b1b0d4.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.A1DB2JVWGG.CNT.exe.4b1b0d4.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.A1DB2JVWGG.CNT.exe.4b1b0d4.5.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.A1DB2JVWGG.CNT.exe.4b1b0d4.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.A1DB2JVWGG.CNT.exe.4b1b0d4.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.JUNE STUB.EXE.6cb0000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.JUNE STUB.EXE.6cb0000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.JUNE STUB.EXE.6cb0000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 21.2.msdcsc.exe.4126b74.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 21.2.msdcsc.exe.4126b74.5.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 21.2.msdcsc.exe.4126b74.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.msdcsc.exe.4126b74.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.JUNE STUB.EXE.6c60000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.JUNE STUB.EXE.6c60000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.JUNE STUB.EXE.6c60000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.JUNE STUB.EXE.3444758.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.JUNE STUB.EXE.3444758.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.JUNE STUB.EXE.3444758.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.JUNE STUB.EXE.3444758.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.JUNE STUB.EXE.6cb0000.21.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.JUNE STUB.EXE.6cb0000.21.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.JUNE STUB.EXE.6cb0000.21.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.JUNE STUB.EXE.6d00000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.JUNE STUB.EXE.6d00000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.JUNE STUB.EXE.6d00000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.JUNE STUB.EXE.6cd0000.22.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.JUNE STUB.EXE.6cd0000.22.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.JUNE STUB.EXE.6cd0000.22.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 21.2.msdcsc.exe.4b4dcb4.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 21.2.msdcsc.exe.4b4dcb4.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.msdcsc.exe.4b4dcb4.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 21.2.msdcsc.exe.4b4dcb4.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects DarkComet Author: ditekSHen
Source: 21.2.msdcsc.exe.4b4dcb4.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.msdcsc.exe.4b4dcb4.6.raw.unpack, type: UNPACKEDPE	Matched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: 21.2.msdcsc.exe.4b4dcb4.6.raw.unpack, type: UNPACKEDPE	Matched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.msdcsc.exe.4b4dcb4.6.raw.unpack, type: UNPACKEDPE	Matched rule: DarkComet_4 Author: unknown
Source: 21.2.msdcsc.exe.4b4dcb4.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Darkcomet_1df27bcc Author: unknown
Source: 21.2.msdcsc.exe.4b4dcb4.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 33.2.dhcpmon.exe.3a1e41c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 33.2.dhcpmon.exe.3a1e41c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 33.2.dhcpmon.exe.3a1e41c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.JUNE STUB.EXE.3423ee4.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.JUNE STUB.EXE.3423ee4.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.JUNE STUB.EXE.3423ee4.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.JUNE STUB.EXE.5d14629.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.JUNE STUB.EXE.5d14629.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.JUNE STUB.EXE.5d14629.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.JUNE STUB.EXE.6c10000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.JUNE STUB.EXE.6c10000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.JUNE STUB.EXE.6c10000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.JUNE STUB.EXE.442df9c.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.JUNE STUB.EXE.442df9c.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.JUNE STUB.EXE.442df9c.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects DarkComet Author: ditekSHen
Source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: DarkComet_4 Author: unknown
Source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Darkcomet_1df27bcc Author: unknown
Source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.JUNE STUB.EXE.441f6f8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.JUNE STUB.EXE.441f6f8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.JUNE STUB.EXE.441f6f8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.JUNE STUB.EXE.6d30000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.JUNE STUB.EXE.6d30000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.JUNE STUB.EXE.6d30000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 12.2.A1DB2JVWGG.CNT.exe.4ad84c.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 12.2.A1DB2JVWGG.CNT.exe.4ad84c.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.2.A1DB2JVWGG.CNT.exe.4ad84c.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.A1DB2JVWGG.CNT.exe.4ad84c.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.0.JUNE STUB.EXE.cc0000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.0.JUNE STUB.EXE.cc0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.0.JUNE STUB.EXE.cc0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.0.JUNE STUB.EXE.cc0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.JUNE STUB.EXE.4424397.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.JUNE STUB.EXE.4424397.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.JUNE STUB.EXE.4424397.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.JUNE STUB.EXE.6ca0000.20.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.JUNE STUB.EXE.6ca0000.20.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.JUNE STUB.EXE.6ca0000.20.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects DarkComet Author: ditekSHen
Source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: DarkComet_4 Author: unknown
Source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Darkcomet_1df27bcc Author: unknown
Source: 0.2.A1DB2JVWGG.CNT.exe.41a691c.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.A1DB2JVWGG.CNT.exe.41a691c.6.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.A1DB2JVWGG.CNT.exe.41a691c.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.A1DB2JVWGG.CNT.exe.41a691c.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.JUNE STUB.EXE.6c20000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.JUNE STUB.EXE.6c20000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.JUNE STUB.EXE.6c20000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.JUNE STUB.EXE.5d10000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.JUNE STUB.EXE.5d10000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.JUNE STUB.EXE.5d10000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.JUNE STUB.EXE.6d04c9f.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.JUNE STUB.EXE.6d04c9f.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.JUNE STUB.EXE.6d04c9f.25.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.JUNE STUB.EXE.4588b4e.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.JUNE STUB.EXE.4588b4e.9.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.JUNE STUB.EXE.4588b4e.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects DarkComet Author: ditekSHen
Source: 0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.raw.unpack, type: UNPACKEDPE	Matched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: 0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.raw.unpack, type: UNPACKEDPE	Matched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.raw.unpack, type: UNPACKEDPE	Matched rule: DarkComet_4 Author: unknown
Source: 0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Darkcomet_1df27bcc Author: unknown
Source: 0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.JUNE STUB.EXE.6d30000.27.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.JUNE STUB.EXE.6d30000.27.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.JUNE STUB.EXE.6d30000.27.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 12.2.A1DB2JVWGG.CNT.exe.4ad84c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 12.2.A1DB2JVWGG.CNT.exe.4ad84c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 12.2.A1DB2JVWGG.CNT.exe.4ad84c.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.A1DB2JVWGG.CNT.exe.4ad84c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.JUNE STUB.EXE.6d00000.24.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.JUNE STUB.EXE.6d00000.24.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.JUNE STUB.EXE.6d00000.24.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.JUNE STUB.EXE.6c10000.14.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.JUNE STUB.EXE.6c10000.14.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.JUNE STUB.EXE.6c10000.14.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 22.2.msdcsc.exe.504a4f4.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 22.2.msdcsc.exe.504a4f4.5.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 22.2.msdcsc.exe.504a4f4.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 22.2.msdcsc.exe.504a4f4.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.JUNE STUB.EXE.33b13b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.JUNE STUB.EXE.33b13b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.JUNE STUB.EXE.33b13b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 33.2.dhcpmon.exe.3a195e6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 33.2.dhcpmon.exe.3a195e6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 33.2.dhcpmon.exe.3a195e6.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 33.2.dhcpmon.exe.3a195e6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.JUNE STUB.EXE.441f6f8.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.JUNE STUB.EXE.441f6f8.5.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.JUNE STUB.EXE.441f6f8.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.JUNE STUB.EXE.3430124.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.JUNE STUB.EXE.3430124.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.JUNE STUB.EXE.3430124.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.JUNE STUB.EXE.3430124.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 21.2.msdcsc.exe.4126b74.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 21.2.msdcsc.exe.4126b74.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 21.2.msdcsc.exe.4126b74.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.msdcsc.exe.4126b74.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.JUNE STUB.EXE.3423ee4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.JUNE STUB.EXE.3423ee4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.JUNE STUB.EXE.3423ee4.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.JUNE STUB.EXE.3423ee4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.A1DB2JVWGG.CNT.exe.4886c28.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.A1DB2JVWGG.CNT.exe.4886c28.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.A1DB2JVWGG.CNT.exe.4886c28.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.A1DB2JVWGG.CNT.exe.4886c28.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects DarkComet Author: ditekSHen
Source: 0.2.A1DB2JVWGG.CNT.exe.4886c28.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.A1DB2JVWGG.CNT.exe.4886c28.3.raw.unpack, type: UNPACKEDPE	Matched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: 0.2.A1DB2JVWGG.CNT.exe.4886c28.3.raw.unpack, type: UNPACKEDPE	Matched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.A1DB2JVWGG.CNT.exe.4886c28.3.raw.unpack, type: UNPACKEDPE	Matched rule: DarkComet_4 Author: unknown
Source: 0.2.A1DB2JVWGG.CNT.exe.4886c28.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Darkcomet_1df27bcc Author: unknown
Source: 0.2.A1DB2JVWGG.CNT.exe.4886c28.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0.2.A1DB2JVWGG.CNT.exe.41a691c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0.2.A1DB2JVWGG.CNT.exe.41a691c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.A1DB2JVWGG.CNT.exe.41a691c.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.A1DB2JVWGG.CNT.exe.41a691c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000020.00000002.622990283.0000000002C81000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 00000027.00000002.468665185.0000000002E81000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 00000027.00000002.468665185.0000000002E7A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 00000013.00000002.639756642.0000000006C60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000013.00000002.639756642.0000000006C60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000013.00000002.639756642.0000000006C60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000C.00000002.400104178.0000000003096000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 0000002B.00000002.507022400.0000000002ACA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 00000020.00000002.622990283.0000000002C2C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 00000013.00000002.640582585.0000000006CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000013.00000002.640582585.0000000006CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000013.00000002.640582585.0000000006CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000013.00000002.640822750.0000000006D00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000013.00000002.640822750.0000000006D00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000013.00000002.640822750.0000000006D00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000002B.00000002.507022400.0000000002AA6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 00000021.00000002.456486839.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000002.456486839.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000002B.00000002.507022400.0000000002A7C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 00000027.00000002.468665185.0000000002E56000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 00000020.00000002.622990283.0000000002C7A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 00000022.00000002.459239135.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000022.00000002.459239135.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000013.00000002.639572623.0000000006C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000013.00000002.639572623.0000000006C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000013.00000002.639572623.0000000006C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000013.00000002.639327601.0000000006C10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000013.00000002.639327601.0000000006C10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000013.00000002.639327601.0000000006C10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects DarkComet Author: ditekSHen
Source: 0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: 0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_4 Author: unknown
Source: 0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Darkcomet_1df27bcc Author: unknown
Source: 00000013.00000002.640048341.0000000006C80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000013.00000002.640048341.0000000006C80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000013.00000002.640048341.0000000006C80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000013.00000002.625066874.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000002.625066874.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000027.00000002.468665185.0000000002E2C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 00000013.00000000.391419117.0000000000CC2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000013.00000000.391419117.0000000000CC2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000000.391419117.0000000000CC2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000013.00000002.640453706.0000000006CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000013.00000002.640453706.0000000006CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000013.00000002.640453706.0000000006CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000013.00000002.639417055.0000000006C20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000013.00000002.639417055.0000000006C20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000013.00000002.639417055.0000000006C20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000013.00000002.640195396.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000013.00000002.640195396.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000013.00000002.640195396.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000013.00000002.640312728.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000013.00000002.640312728.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000013.00000002.640312728.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000013.00000002.640130436.0000000006C90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000013.00000002.640130436.0000000006C90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000013.00000002.640130436.0000000006C90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_4 Author: unknown
Source: 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Darkcomet_1df27bcc Author: unknown
Source: 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000C.00000002.400104178.000000000306C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 00000013.00000002.637176007.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000013.00000002.637176007.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000013.00000002.637176007.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000013.00000002.631531483.0000000004515000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000015.00000002.470317430.0000000004126000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000015.00000002.470317430.0000000004126000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.470317430.0000000004126000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000013.00000002.641220331.0000000006D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000013.00000002.641220331.0000000006D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000013.00000002.641220331.0000000006D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000C.00000002.400104178.00000000030BA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 00000013.00000002.631531483.000000000441F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000013.00000002.636982367.0000000005A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000013.00000002.636982367.0000000005A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000013.00000002.636982367.0000000005A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000021.00000002.454672045.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000021.00000002.454672045.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000013.00000002.625066874.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000C.00000002.397292430.00000000004A4000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000000C.00000002.397292430.00000000004A4000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.397292430.00000000004A4000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000016.00000002.486347814.0000000005049000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000016.00000002.486347814.0000000005049000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000016.00000002.486347814.0000000005049000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000000C.00000002.400104178.00000000030C1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 0000002B.00000002.507022400.0000000002AD1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_4 Author: unknown
Source: 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Darkcomet_1df27bcc Author: unknown
Source: 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: 00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_4 Author: unknown
Source: 00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Darkcomet_1df27bcc Author: unknown
Source: 00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7460, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7460, type: MEMORYSTR	Matched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7460, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7460, type: MEMORYSTR	Matched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7460, type: MEMORYSTR	Matched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7460, type: MEMORYSTR	Matched rule: DarkComet_4 Author: unknown
Source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7460, type: MEMORYSTR	Matched rule: Windows_Trojan_Darkcomet_1df27bcc Author: unknown
Source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7460, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7948, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7948, type: MEMORYSTR	Matched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7948, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7948, type: MEMORYSTR	Matched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7948, type: MEMORYSTR	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7948, type: MEMORYSTR	Matched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7948, type: MEMORYSTR	Matched rule: DarkComet_4 Author: unknown
Source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7948, type: MEMORYSTR	Matched rule: Windows_Trojan_Darkcomet_1df27bcc Author: unknown
Source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7948, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: JUNE STUB.EXE PID: 8176, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: JUNE STUB.EXE PID: 8176, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: JUNE STUB.EXE PID: 8176, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: msdcsc.exe PID: 5860, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: msdcsc.exe PID: 5860, type: MEMORYSTR	Matched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: msdcsc.exe PID: 5860, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: msdcsc.exe PID: 5860, type: MEMORYSTR	Matched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: Process Memory Space: msdcsc.exe PID: 5860, type: MEMORYSTR	Matched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: msdcsc.exe PID: 5860, type: MEMORYSTR	Matched rule: DarkComet_4 Author: unknown
Source: Process Memory Space: msdcsc.exe PID: 5860, type: MEMORYSTR	Matched rule: Windows_Trojan_Darkcomet_1df27bcc Author: unknown
Source: Process Memory Space: msdcsc.exe PID: 5860, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: msdcsc.exe PID: 7264, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: msdcsc.exe PID: 7264, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: msdcsc.exe PID: 7264, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: msdcsc.exe PID: 6288, type: MEMORYSTR	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: Process Memory Space: dhcpmon.exe PID: 6384, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 6384, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: JUNE STUB.EXE PID: 8152, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: JUNE STUB.EXE PID: 8152, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: notepad.exe PID: 1340, type: MEMORYSTR	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: Process Memory Space: msdcsc.exe PID: 5840, type: MEMORYSTR	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: Process Memory Space: msdcsc.exe PID: 5236, type: MEMORYSTR	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE, type: DROPPED	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE, type: DROPPED	Matched rule: Detects NanoCore Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE, type: DROPPED	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE, type: DROPPED	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: Detects NanoCore Author: ditekSHen
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown

Yara detected DarkComet

Source: Yara match	File source: 21.2.msdcsc.exe.4b4dcb4.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.A1DB2JVWGG.CNT.exe.4886c28.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: msdcsc.exe PID: 5860, type: MEMORYSTR

Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 0_2_0153C2B4
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 0_2_0153E6F8
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 0_2_0153E6EB
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 0_2_0785A848
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 0_2_0785572C
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 0_2_0785CAE8
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 0_2_07853920
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	Code function: 7_2_0151C2B4
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	Code function: 7_2_0151E6F8
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	Code function: 7_2_0151E6EA
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 12_2_00402370
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 12_2_004064C0
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 12_2_0043E644
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 12_2_004389B4
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 12_2_0045EC78
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 12_2_0046ADBC
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 12_2_0046797C
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 12_2_00469B90

Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Section loaded: starttiledata.dll
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Section loaded: sfc.dll

Source: A1DB2JVWGG.CNT.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 19.2.JUNE STUB.EXE.6c40000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6c40000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6c40000.16.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.JUNE STUB.EXE.6c40000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.JUNE STUB.EXE.6ce0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6ce0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6ce0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.JUNE STUB.EXE.6ce0000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.JUNE STUB.EXE.6ca0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6ca0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6ca0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.JUNE STUB.EXE.6ca0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.JUNE STUB.EXE.5a80000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.5a80000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.5a80000.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.JUNE STUB.EXE.5a80000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.JUNE STUB.EXE.6c80000.18.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6c80000.18.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6c80000.18.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.JUNE STUB.EXE.6c80000.18.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 22.2.msdcsc.exe.504a4f4.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.msdcsc.exe.504a4f4.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.msdcsc.exe.504a4f4.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 22.2.msdcsc.exe.504a4f4.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.msdcsc.exe.504a4f4.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.JUNE STUB.EXE.6c60000.17.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6c60000.17.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6c60000.17.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.JUNE STUB.EXE.6c60000.17.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.JUNE STUB.EXE.6c80000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6c80000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6c80000.18.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.JUNE STUB.EXE.6c80000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 34.2.JUNE STUB.EXE.2ef3d9c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 34.2.JUNE STUB.EXE.2ef3d9c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 34.2.JUNE STUB.EXE.2ef3d9c.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 34.2.JUNE STUB.EXE.2ef3d9c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.JUNE STUB.EXE.6cd0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6cd0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6cd0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.JUNE STUB.EXE.6cd0000.22.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 33.2.dhcpmon.exe.3a22a45.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 33.2.dhcpmon.exe.3a22a45.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 33.2.dhcpmon.exe.3a22a45.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 33.2.dhcpmon.exe.3a22a45.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.JUNE STUB.EXE.3430124.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.3430124.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.3430124.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.JUNE STUB.EXE.3430124.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 33.2.dhcpmon.exe.3a1e41c.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 33.2.dhcpmon.exe.3a1e41c.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 33.2.dhcpmon.exe.3a1e41c.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 33.2.dhcpmon.exe.3a1e41c.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.JUNE STUB.EXE.6c20000.15.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6c20000.15.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6c20000.15.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.JUNE STUB.EXE.6c20000.15.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.JUNE STUB.EXE.5d10000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.5d10000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.5d10000.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.JUNE STUB.EXE.5d10000.12.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 33.2.dhcpmon.exe.29f3dc4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 33.2.dhcpmon.exe.29f3dc4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 33.2.dhcpmon.exe.29f3dc4.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 33.2.dhcpmon.exe.29f3dc4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.JUNE STUB.EXE.4588b4e.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.4588b4e.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.4588b4e.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.JUNE STUB.EXE.4588b4e.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.JUNE STUB.EXE.4591d82.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.4591d82.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.4591d82.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.JUNE STUB.EXE.4591d82.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.JUNE STUB.EXE.6d0e8a4.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6d0e8a4.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6d0e8a4.26.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.JUNE STUB.EXE.6d0e8a4.26.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.JUNE STUB.EXE.4596a21.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.4596a21.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.4596a21.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.JUNE STUB.EXE.4596a21.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 21.2.msdcsc.exe.4b4dcb4.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.msdcsc.exe.4b4dcb4.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.msdcsc.exe.4b4dcb4.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 21.2.msdcsc.exe.4b4dcb4.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.msdcsc.exe.4b4dcb4.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.JUNE STUB.EXE.4591d82.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.4591d82.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.4591d82.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.JUNE STUB.EXE.4591d82.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.JUNE STUB.EXE.6c90000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6c90000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6c90000.19.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.JUNE STUB.EXE.6c90000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.JUNE STUB.EXE.6ce0000.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6ce0000.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6ce0000.23.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.JUNE STUB.EXE.6ce0000.23.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.A1DB2JVWGG.CNT.exe.4b1b0d4.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.A1DB2JVWGG.CNT.exe.4b1b0d4.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.A1DB2JVWGG.CNT.exe.4b1b0d4.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.A1DB2JVWGG.CNT.exe.4b1b0d4.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.A1DB2JVWGG.CNT.exe.4b1b0d4.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.A1DB2JVWGG.CNT.exe.4b1b0d4.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.A1DB2JVWGG.CNT.exe.4b1b0d4.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.A1DB2JVWGG.CNT.exe.4b1b0d4.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.A1DB2JVWGG.CNT.exe.4b1b0d4.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.A1DB2JVWGG.CNT.exe.4b1b0d4.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.JUNE STUB.EXE.6cb0000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6cb0000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6cb0000.21.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.JUNE STUB.EXE.6cb0000.21.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 21.2.msdcsc.exe.4126b74.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.msdcsc.exe.4126b74.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.msdcsc.exe.4126b74.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 21.2.msdcsc.exe.4126b74.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.msdcsc.exe.4126b74.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.JUNE STUB.EXE.6c60000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6c60000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6c60000.17.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.JUNE STUB.EXE.6c60000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.JUNE STUB.EXE.3444758.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.3444758.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.JUNE STUB.EXE.3444758.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.JUNE STUB.EXE.3444758.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.JUNE STUB.EXE.6cb0000.21.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6cb0000.21.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6cb0000.21.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.JUNE STUB.EXE.6cb0000.21.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.JUNE STUB.EXE.6d00000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6d00000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6d00000.24.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.JUNE STUB.EXE.6d00000.24.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.JUNE STUB.EXE.6cd0000.22.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6cd0000.22.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6cd0000.22.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.JUNE STUB.EXE.6cd0000.22.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 21.2.msdcsc.exe.4b4dcb4.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.msdcsc.exe.4b4dcb4.6.raw.unpack, type: UNPACKEDPE	Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth (Nextron Systems), description = VT Research QA uploaded malware - file update.exe, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.msdcsc.exe.4b4dcb4.6.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 21.2.msdcsc.exe.4b4dcb4.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 21.2.msdcsc.exe.4b4dcb4.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DarkComet author = ditekSHen, description = Detects DarkComet
Source: 21.2.msdcsc.exe.4b4dcb4.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.msdcsc.exe.4b4dcb4.6.raw.unpack, type: UNPACKEDPE	Matched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: 21.2.msdcsc.exe.4b4dcb4.6.raw.unpack, type: UNPACKEDPE	Matched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: 21.2.msdcsc.exe.4b4dcb4.6.raw.unpack, type: UNPACKEDPE	Matched rule: DarkComet_4 reference = https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara
Source: 21.2.msdcsc.exe.4b4dcb4.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Darkcomet_1df27bcc reference_sample = 7fbe87545eef49da0df850719536bb30b196f7ad2d5a34ee795c01381ffda569, os = windows, severity = x86, creation_date = 2021-08-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Darkcomet, fingerprint = 63b77999860534b71b7b4e7b3da9df175ccd0009f4c13215a59c6b83e0e95b3b, id = 1df27bcc-9f18-48d4-bd7f-73bdc7cb1e63, last_modified = 2021-10-04
Source: 21.2.msdcsc.exe.4b4dcb4.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 33.2.dhcpmon.exe.3a1e41c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 33.2.dhcpmon.exe.3a1e41c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 33.2.dhcpmon.exe.3a1e41c.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 33.2.dhcpmon.exe.3a1e41c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.JUNE STUB.EXE.3423ee4.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.3423ee4.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.3423ee4.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.JUNE STUB.EXE.3423ee4.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.JUNE STUB.EXE.5d14629.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.5d14629.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.5d14629.11.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.JUNE STUB.EXE.5d14629.11.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.JUNE STUB.EXE.6c10000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6c10000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6c10000.14.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.JUNE STUB.EXE.6c10000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.JUNE STUB.EXE.442df9c.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.442df9c.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.442df9c.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.JUNE STUB.EXE.442df9c.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth (Nextron Systems), description = VT Research QA uploaded malware - file update.exe, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DarkComet author = ditekSHen, description = Detects DarkComet
Source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: DarkComet_4 reference = https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara
Source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Darkcomet_1df27bcc reference_sample = 7fbe87545eef49da0df850719536bb30b196f7ad2d5a34ee795c01381ffda569, os = windows, severity = x86, creation_date = 2021-08-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Darkcomet, fingerprint = 63b77999860534b71b7b4e7b3da9df175ccd0009f4c13215a59c6b83e0e95b3b, id = 1df27bcc-9f18-48d4-bd7f-73bdc7cb1e63, last_modified = 2021-10-04
Source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.JUNE STUB.EXE.441f6f8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.441f6f8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.441f6f8.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.JUNE STUB.EXE.441f6f8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.JUNE STUB.EXE.6d30000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6d30000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6d30000.27.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.JUNE STUB.EXE.6d30000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 12.2.A1DB2JVWGG.CNT.exe.4ad84c.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.A1DB2JVWGG.CNT.exe.4ad84c.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.A1DB2JVWGG.CNT.exe.4ad84c.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.2.A1DB2JVWGG.CNT.exe.4ad84c.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.A1DB2JVWGG.CNT.exe.4ad84c.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.0.JUNE STUB.EXE.cc0000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.0.JUNE STUB.EXE.cc0000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.0.JUNE STUB.EXE.cc0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.0.JUNE STUB.EXE.cc0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.0.JUNE STUB.EXE.cc0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.JUNE STUB.EXE.4424397.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.4424397.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.4424397.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.JUNE STUB.EXE.4424397.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.JUNE STUB.EXE.6ca0000.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6ca0000.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6ca0000.20.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.JUNE STUB.EXE.6ca0000.20.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth (Nextron Systems), description = VT Research QA uploaded malware - file update.exe, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DarkComet author = ditekSHen, description = Detects DarkComet
Source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: DarkComet_4 reference = https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara
Source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Darkcomet_1df27bcc reference_sample = 7fbe87545eef49da0df850719536bb30b196f7ad2d5a34ee795c01381ffda569, os = windows, severity = x86, creation_date = 2021-08-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Darkcomet, fingerprint = 63b77999860534b71b7b4e7b3da9df175ccd0009f4c13215a59c6b83e0e95b3b, id = 1df27bcc-9f18-48d4-bd7f-73bdc7cb1e63, last_modified = 2021-10-04
Source: 0.2.A1DB2JVWGG.CNT.exe.41a691c.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.A1DB2JVWGG.CNT.exe.41a691c.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.A1DB2JVWGG.CNT.exe.41a691c.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.A1DB2JVWGG.CNT.exe.41a691c.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.A1DB2JVWGG.CNT.exe.41a691c.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.JUNE STUB.EXE.6c20000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6c20000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6c20000.15.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.JUNE STUB.EXE.6c20000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.JUNE STUB.EXE.5d10000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.5d10000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.5d10000.12.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.JUNE STUB.EXE.5d10000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.JUNE STUB.EXE.6d04c9f.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6d04c9f.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6d04c9f.25.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.JUNE STUB.EXE.6d04c9f.25.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.JUNE STUB.EXE.4588b4e.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.4588b4e.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.4588b4e.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.JUNE STUB.EXE.4588b4e.9.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.raw.unpack, type: UNPACKEDPE	Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth (Nextron Systems), description = VT Research QA uploaded malware - file update.exe, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DarkComet author = ditekSHen, description = Detects DarkComet
Source: 0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.raw.unpack, type: UNPACKEDPE	Matched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: 0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.raw.unpack, type: UNPACKEDPE	Matched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: 0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.raw.unpack, type: UNPACKEDPE	Matched rule: DarkComet_4 reference = https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara
Source: 0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Darkcomet_1df27bcc reference_sample = 7fbe87545eef49da0df850719536bb30b196f7ad2d5a34ee795c01381ffda569, os = windows, severity = x86, creation_date = 2021-08-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Darkcomet, fingerprint = 63b77999860534b71b7b4e7b3da9df175ccd0009f4c13215a59c6b83e0e95b3b, id = 1df27bcc-9f18-48d4-bd7f-73bdc7cb1e63, last_modified = 2021-10-04
Source: 0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.JUNE STUB.EXE.6d30000.27.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6d30000.27.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6d30000.27.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.JUNE STUB.EXE.6d30000.27.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 12.2.A1DB2JVWGG.CNT.exe.4ad84c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.A1DB2JVWGG.CNT.exe.4ad84c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.A1DB2JVWGG.CNT.exe.4ad84c.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 12.2.A1DB2JVWGG.CNT.exe.4ad84c.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 12.2.A1DB2JVWGG.CNT.exe.4ad84c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.JUNE STUB.EXE.6d00000.24.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6d00000.24.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6d00000.24.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.JUNE STUB.EXE.6d00000.24.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.JUNE STUB.EXE.6c10000.14.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6c10000.14.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.6c10000.14.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.JUNE STUB.EXE.6c10000.14.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 22.2.msdcsc.exe.504a4f4.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.msdcsc.exe.504a4f4.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.msdcsc.exe.504a4f4.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 22.2.msdcsc.exe.504a4f4.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 22.2.msdcsc.exe.504a4f4.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.JUNE STUB.EXE.33b13b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.33b13b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.33b13b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.JUNE STUB.EXE.33b13b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 33.2.dhcpmon.exe.3a195e6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 33.2.dhcpmon.exe.3a195e6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 33.2.dhcpmon.exe.3a195e6.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 33.2.dhcpmon.exe.3a195e6.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 33.2.dhcpmon.exe.3a195e6.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.JUNE STUB.EXE.441f6f8.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.441f6f8.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.441f6f8.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.JUNE STUB.EXE.441f6f8.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.JUNE STUB.EXE.3430124.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.3430124.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.JUNE STUB.EXE.3430124.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.JUNE STUB.EXE.3430124.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 21.2.msdcsc.exe.4126b74.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.2.msdcsc.exe.4126b74.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 21.2.msdcsc.exe.4126b74.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.msdcsc.exe.4126b74.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.JUNE STUB.EXE.3423ee4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.JUNE STUB.EXE.3423ee4.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.JUNE STUB.EXE.3423ee4.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.JUNE STUB.EXE.3423ee4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.A1DB2JVWGG.CNT.exe.4886c28.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.A1DB2JVWGG.CNT.exe.4886c28.3.raw.unpack, type: UNPACKEDPE	Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth (Nextron Systems), description = VT Research QA uploaded malware - file update.exe, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.A1DB2JVWGG.CNT.exe.4886c28.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 0.2.A1DB2JVWGG.CNT.exe.4886c28.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.A1DB2JVWGG.CNT.exe.4886c28.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DarkComet author = ditekSHen, description = Detects DarkComet
Source: 0.2.A1DB2JVWGG.CNT.exe.4886c28.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.A1DB2JVWGG.CNT.exe.4886c28.3.raw.unpack, type: UNPACKEDPE	Matched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: 0.2.A1DB2JVWGG.CNT.exe.4886c28.3.raw.unpack, type: UNPACKEDPE	Matched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: 0.2.A1DB2JVWGG.CNT.exe.4886c28.3.raw.unpack, type: UNPACKEDPE	Matched rule: DarkComet_4 reference = https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara
Source: 0.2.A1DB2JVWGG.CNT.exe.4886c28.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Darkcomet_1df27bcc reference_sample = 7fbe87545eef49da0df850719536bb30b196f7ad2d5a34ee795c01381ffda569, os = windows, severity = x86, creation_date = 2021-08-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Darkcomet, fingerprint = 63b77999860534b71b7b4e7b3da9df175ccd0009f4c13215a59c6b83e0e95b3b, id = 1df27bcc-9f18-48d4-bd7f-73bdc7cb1e63, last_modified = 2021-10-04
Source: 0.2.A1DB2JVWGG.CNT.exe.4886c28.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0.2.A1DB2JVWGG.CNT.exe.41a691c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.A1DB2JVWGG.CNT.exe.41a691c.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 0.2.A1DB2JVWGG.CNT.exe.41a691c.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.A1DB2JVWGG.CNT.exe.41a691c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000020.00000002.622990283.0000000002C81000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 00000027.00000002.468665185.0000000002E81000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 00000027.00000002.468665185.0000000002E7A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 00000013.00000002.639756642.0000000006C60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000013.00000002.639756642.0000000006C60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000013.00000002.639756642.0000000006C60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000013.00000002.639756642.0000000006C60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000C.00000002.400104178.0000000003096000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 0000002B.00000002.507022400.0000000002ACA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 00000020.00000002.622990283.0000000002C2C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 00000013.00000002.640582585.0000000006CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000013.00000002.640582585.0000000006CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000013.00000002.640582585.0000000006CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000013.00000002.640582585.0000000006CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000013.00000002.640822750.0000000006D00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000013.00000002.640822750.0000000006D00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000013.00000002.640822750.0000000006D00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000013.00000002.640822750.0000000006D00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000002B.00000002.507022400.0000000002AA6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 00000021.00000002.456486839.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000021.00000002.456486839.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000002B.00000002.507022400.0000000002A7C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 00000027.00000002.468665185.0000000002E56000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 00000020.00000002.622990283.0000000002C7A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 00000022.00000002.459239135.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000022.00000002.459239135.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000013.00000002.639572623.0000000006C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000013.00000002.639572623.0000000006C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000013.00000002.639572623.0000000006C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000013.00000002.639572623.0000000006C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000013.00000002.639327601.0000000006C10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000013.00000002.639327601.0000000006C10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000013.00000002.639327601.0000000006C10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000013.00000002.639327601.0000000006C10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth (Nextron Systems), description = VT Research QA uploaded malware - file update.exe, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541, reference = VT Research QA, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_DarkComet author = ditekSHen, description = Detects DarkComet
Source: 0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: 0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: 0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_4 reference = https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara
Source: 0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Darkcomet_1df27bcc reference_sample = 7fbe87545eef49da0df850719536bb30b196f7ad2d5a34ee795c01381ffda569, os = windows, severity = x86, creation_date = 2021-08-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Darkcomet, fingerprint = 63b77999860534b71b7b4e7b3da9df175ccd0009f4c13215a59c6b83e0e95b3b, id = 1df27bcc-9f18-48d4-bd7f-73bdc7cb1e63, last_modified = 2021-10-04
Source: 00000013.00000002.640048341.0000000006C80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000013.00000002.640048341.0000000006C80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000013.00000002.640048341.0000000006C80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000013.00000002.640048341.0000000006C80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000013.00000002.625066874.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000013.00000002.625066874.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000027.00000002.468665185.0000000002E2C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 00000013.00000000.391419117.0000000000CC2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000013.00000000.391419117.0000000000CC2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000013.00000000.391419117.0000000000CC2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000013.00000002.640453706.0000000006CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000013.00000002.640453706.0000000006CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000013.00000002.640453706.0000000006CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000013.00000002.640453706.0000000006CD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000013.00000002.639417055.0000000006C20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000013.00000002.639417055.0000000006C20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000013.00000002.639417055.0000000006C20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000013.00000002.639417055.0000000006C20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000013.00000002.640195396.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000013.00000002.640195396.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000013.00000002.640195396.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000013.00000002.640195396.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000013.00000002.640312728.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000013.00000002.640312728.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000013.00000002.640312728.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000013.00000002.640312728.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000013.00000002.640130436.0000000006C90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000013.00000002.640130436.0000000006C90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000013.00000002.640130436.0000000006C90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000013.00000002.640130436.0000000006C90000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_4 reference = https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara
Source: 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Darkcomet_1df27bcc reference_sample = 7fbe87545eef49da0df850719536bb30b196f7ad2d5a34ee795c01381ffda569, os = windows, severity = x86, creation_date = 2021-08-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Darkcomet, fingerprint = 63b77999860534b71b7b4e7b3da9df175ccd0009f4c13215a59c6b83e0e95b3b, id = 1df27bcc-9f18-48d4-bd7f-73bdc7cb1e63, last_modified = 2021-10-04
Source: 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000C.00000002.400104178.000000000306C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 00000013.00000002.637176007.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000013.00000002.637176007.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000013.00000002.637176007.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000013.00000002.637176007.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000013.00000002.631531483.0000000004515000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000015.00000002.470317430.0000000004126000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000015.00000002.470317430.0000000004126000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000002.470317430.0000000004126000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000013.00000002.641220331.0000000006D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000013.00000002.641220331.0000000006D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000013.00000002.641220331.0000000006D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000013.00000002.641220331.0000000006D30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000C.00000002.400104178.00000000030BA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 00000013.00000002.631531483.000000000441F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000013.00000002.636982367.0000000005A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000013.00000002.636982367.0000000005A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000013.00000002.636982367.0000000005A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000013.00000002.636982367.0000000005A80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000021.00000002.454672045.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000021.00000002.454672045.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000013.00000002.625066874.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000C.00000002.397292430.00000000004A4000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000C.00000002.397292430.00000000004A4000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000C.00000002.397292430.00000000004A4000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000016.00000002.486347814.0000000005049000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000016.00000002.486347814.0000000005049000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000016.00000002.486347814.0000000005049000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000000C.00000002.400104178.00000000030C1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 0000002B.00000002.507022400.0000000002AD1000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_4 reference = https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara
Source: 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Darkcomet_1df27bcc reference_sample = 7fbe87545eef49da0df850719536bb30b196f7ad2d5a34ee795c01381ffda569, os = windows, severity = x86, creation_date = 2021-08-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Darkcomet, fingerprint = 63b77999860534b71b7b4e7b3da9df175ccd0009f4c13215a59c6b83e0e95b3b, id = 1df27bcc-9f18-48d4-bd7f-73bdc7cb1e63, last_modified = 2021-10-04
Source: 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: 00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: 00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: DarkComet_4 reference = https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara
Source: 00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Darkcomet_1df27bcc reference_sample = 7fbe87545eef49da0df850719536bb30b196f7ad2d5a34ee795c01381ffda569, os = windows, severity = x86, creation_date = 2021-08-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Darkcomet, fingerprint = 63b77999860534b71b7b4e7b3da9df175ccd0009f4c13215a59c6b83e0e95b3b, id = 1df27bcc-9f18-48d4-bd7f-73bdc7cb1e63, last_modified = 2021-10-04
Source: 00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7460, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7460, type: MEMORYSTR	Matched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7460, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7460, type: MEMORYSTR	Matched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7460, type: MEMORYSTR	Matched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7460, type: MEMORYSTR	Matched rule: DarkComet_4 reference = https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara
Source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7460, type: MEMORYSTR	Matched rule: Windows_Trojan_Darkcomet_1df27bcc reference_sample = 7fbe87545eef49da0df850719536bb30b196f7ad2d5a34ee795c01381ffda569, os = windows, severity = x86, creation_date = 2021-08-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Darkcomet, fingerprint = 63b77999860534b71b7b4e7b3da9df175ccd0009f4c13215a59c6b83e0e95b3b, id = 1df27bcc-9f18-48d4-bd7f-73bdc7cb1e63, last_modified = 2021-10-04
Source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7460, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7948, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7948, type: MEMORYSTR	Matched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7948, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7948, type: MEMORYSTR	Matched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7948, type: MEMORYSTR	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7948, type: MEMORYSTR	Matched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7948, type: MEMORYSTR	Matched rule: DarkComet_4 reference = https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara
Source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7948, type: MEMORYSTR	Matched rule: Windows_Trojan_Darkcomet_1df27bcc reference_sample = 7fbe87545eef49da0df850719536bb30b196f7ad2d5a34ee795c01381ffda569, os = windows, severity = x86, creation_date = 2021-08-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Darkcomet, fingerprint = 63b77999860534b71b7b4e7b3da9df175ccd0009f4c13215a59c6b83e0e95b3b, id = 1df27bcc-9f18-48d4-bd7f-73bdc7cb1e63, last_modified = 2021-10-04
Source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7948, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: JUNE STUB.EXE PID: 8176, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: JUNE STUB.EXE PID: 8176, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: JUNE STUB.EXE PID: 8176, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: msdcsc.exe PID: 5860, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: msdcsc.exe PID: 5860, type: MEMORYSTR	Matched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: Process Memory Space: msdcsc.exe PID: 5860, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: msdcsc.exe PID: 5860, type: MEMORYSTR	Matched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: Process Memory Space: msdcsc.exe PID: 5860, type: MEMORYSTR	Matched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: Process Memory Space: msdcsc.exe PID: 5860, type: MEMORYSTR	Matched rule: DarkComet_4 reference = https://github.com/bwall/bamfdetect/blob/master/BAMF_Detect/modules/yara/darkcomet.yara
Source: Process Memory Space: msdcsc.exe PID: 5860, type: MEMORYSTR	Matched rule: Windows_Trojan_Darkcomet_1df27bcc reference_sample = 7fbe87545eef49da0df850719536bb30b196f7ad2d5a34ee795c01381ffda569, os = windows, severity = x86, creation_date = 2021-08-16, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Darkcomet, fingerprint = 63b77999860534b71b7b4e7b3da9df175ccd0009f4c13215a59c6b83e0e95b3b, id = 1df27bcc-9f18-48d4-bd7f-73bdc7cb1e63, last_modified = 2021-10-04
Source: Process Memory Space: msdcsc.exe PID: 5860, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: msdcsc.exe PID: 7264, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: msdcsc.exe PID: 7264, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: msdcsc.exe PID: 7264, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: msdcsc.exe PID: 6288, type: MEMORYSTR	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: Process Memory Space: dhcpmon.exe PID: 6384, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 6384, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: JUNE STUB.EXE PID: 8152, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: JUNE STUB.EXE PID: 8152, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: notepad.exe PID: 1340, type: MEMORYSTR	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: Process Memory Space: msdcsc.exe PID: 5840, type: MEMORYSTR	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: Process Memory Space: msdcsc.exe PID: 5236, type: MEMORYSTR	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE, type: DROPPED	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE, type: DROPPED	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE, type: DROPPED	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE, type: DROPPED	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE, type: DROPPED	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: String function: 00407B10 appears 139 times
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: String function: 004735E8 appears 39 times
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: String function: 00407B08 appears 33 times
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: String function: 004218E4 appears 86 times
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: String function: 00405584 appears 61 times
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: String function: 00405530 appears 72 times
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: String function: 004055C8 appears 36 times
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: String function: 00405864 appears 33 times

Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMSRSAAP.EXEV vs A1DB2JVWGG.CNT.exe
Source: A1DB2JVWGG.CNT.exe, 00000000.00000000.354997708.0000000000B91000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameTIvm.exe> vs A1DB2JVWGG.CNT.exe
Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.388355387.00000000011C9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs A1DB2JVWGG.CNT.exe
Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.450107518.0000000008E60000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCruiser.dll4 vs A1DB2JVWGG.CNT.exe
Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.392562881.0000000002F01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRDX.dll4 vs A1DB2JVWGG.CNT.exe
Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.392562881.0000000002F01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCruiser.dll4 vs A1DB2JVWGG.CNT.exe
Source: A1DB2JVWGG.CNT.exe, 00000000.00000003.371921496.000000000C056000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTIvm.exe> vs A1DB2JVWGG.CNT.exe
Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.441011209.0000000005740000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRDX.dll4 vs A1DB2JVWGG.CNT.exe
Source: A1DB2JVWGG.CNT.exe, 0000000C.00000002.397292430.00000000004A4000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMSRSAAP.EXEV vs A1DB2JVWGG.CNT.exe
Source: A1DB2JVWGG.CNT.exe	Binary or memory string: OriginalFilenameTIvm.exe> vs A1DB2JVWGG.CNT.exe

Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe

Process token adjusted: Load Driver

Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe

Process token adjusted: Security

Source: A1DB2JVWGG.CNT.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: JXayEzy.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: msdcsc.exe.12.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: JUNE STUB.EXE.12.dr	Static PE information: Section: .rsrc ZLIB complexity 0.9995982142857143
Source: dhcpmon.exe.19.dr	Static PE information: Section: .rsrc ZLIB complexity 0.9995982142857143

Source: A1DB2JVWGG.CNT.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe

File created: C:\Users\user\AppData\Roaming\JXayEzy.exe

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@67/28@15/2

Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: dhcpmon.exe.19.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: dhcpmon.exe.19.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 19.0.JUNE STUB.EXE.cc0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 19.0.JUNE STUB.EXE.cc0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: JUNE STUB.EXE.12.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: JUNE STUB.EXE.12.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe

Code function: 12_2_0048DDE0 FindResourceA,

Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE

File created: C:\Program Files (x86)\DHCP Monitor

Source: A1DB2JVWGG.CNT.exe	ReversingLabs: Detection: 21%
Source: A1DB2JVWGG.CNT.exe	Virustotal: Detection: 29%

Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe

File read: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe

Jump to behavior

Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JXayEzy.exe
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXayEzy" /XML "C:\Users\user\AppData\Local\Temp\tmp12D0.tmp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\JXayEzy.exe C:\Users\user\AppData\Roaming\JXayEzy.exe
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process created: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process created: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process created: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process created: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe" +s +h
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\user\Desktop" +s +h
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib "C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe" +s +h
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib "C:\Users\user\Desktop" +s +h
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process created: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE "C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE"
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process created: C:\Windows\SysWOW64\notepad.exe notepad
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process created: C:\Users\user\Documents\MSDCSC\msdcsc.exe "C:\Users\user\Documents\MSDCSC\msdcsc.exe"
Source: unknown	Process created: C:\Users\user\Documents\MSDCSC\msdcsc.exe "C:\Users\user\Documents\MSDCSC\msdcsc.exe"
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Documents\MSDCSC\msdcsc.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JXayEzy.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXayEzy" /XML "C:\Users\user\AppData\Local\Temp\tmp5A49.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process created: C:\Users\user\Documents\MSDCSC\msdcsc.exe C:\Users\user\Documents\MSDCSC\msdcsc.exe
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process created: C:\Users\user\Documents\MSDCSC\msdcsc.exe C:\Users\user\Documents\MSDCSC\msdcsc.exe
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process created: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE "C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE"
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process created: C:\Windows\SysWOW64\notepad.exe notepad
Source: unknown	Process created: C:\Users\user\Documents\MSDCSC\msdcsc.exe "C:\Users\user\Documents\MSDCSC\msdcsc.exe"
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXayEzy" /XML "C:\Users\user\AppData\Local\Temp\tmp9C72.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process created: C:\Users\user\Documents\MSDCSC\msdcsc.exe C:\Users\user\Documents\MSDCSC\msdcsc.exe
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXayEzy" /XML "C:\Users\user\AppData\Local\Temp\tmpE34F.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process created: C:\Users\user\Documents\MSDCSC\msdcsc.exe C:\Users\user\Documents\MSDCSC\msdcsc.exe
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process created: C:\Users\user\Documents\MSDCSC\msdcsc.exe C:\Users\user\Documents\MSDCSC\msdcsc.exe
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JXayEzy.exe
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXayEzy" /XML "C:\Users\user\AppData\Local\Temp\tmp12D0.tmp
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process created: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process created: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process created: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process created: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe" +s +h
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\user\Desktop" +s +h
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process created: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE "C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE"
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process created: C:\Windows\SysWOW64\notepad.exe notepad
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process created: C:\Users\user\Documents\MSDCSC\msdcsc.exe "C:\Users\user\Documents\MSDCSC\msdcsc.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib "C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe" +s +h
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib "C:\Users\user\Desktop" +s +h
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Documents\MSDCSC\msdcsc.exe
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JXayEzy.exe
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXayEzy" /XML "C:\Users\user\AppData\Local\Temp\tmp5A49.tmp
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process created: C:\Users\user\Documents\MSDCSC\msdcsc.exe C:\Users\user\Documents\MSDCSC\msdcsc.exe
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process created: C:\Users\user\Documents\MSDCSC\msdcsc.exe C:\Users\user\Documents\MSDCSC\msdcsc.exe
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXayEzy" /XML "C:\Users\user\AppData\Local\Temp\tmp9C72.tmp
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process created: C:\Users\user\Documents\MSDCSC\msdcsc.exe C:\Users\user\Documents\MSDCSC\msdcsc.exe
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process created: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE "C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE"
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process created: C:\Windows\SysWOW64\notepad.exe notepad
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXayEzy" /XML "C:\Users\user\AppData\Local\Temp\tmpE34F.tmp
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process created: C:\Users\user\Documents\MSDCSC\msdcsc.exe C:\Users\user\Documents\MSDCSC\msdcsc.exe
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process created: C:\Users\user\Documents\MSDCSC\msdcsc.exe C:\Users\user\Documents\MSDCSC\msdcsc.exe

Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe

Code function: 12_2_0048AEA8 AdjustTokenPrivileges,FindCloseChangeNotification,

Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe

File created: C:\Users\user\AppData\Local\Temp\tmp12D0.tmp

Jump to behavior

Source: A1DB2JVWGG.CNT.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7552:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7732:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4404:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7772:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8048:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7668:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8064:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7688:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Mutant created: \Sessions\1\BaseNamedObjects\Global\{29684d78-e3d5-43d3-a123-9a499c3134c7}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2100:120:WilError_01
Source: C:\Windows\SysWOW64\notepad.exe	Mutant created: \Sessions\1\BaseNamedObjects\DCPERSFWBP
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5304:120:WilError_01
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Mutant created: \Sessions\1\BaseNamedObjects\LjIBsAOPqgWq
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Mutant created: \Sessions\1\BaseNamedObjects\DC_MUTEX-75NC51J

Source: Yara match	File source: 21.2.msdcsc.exe.4b4dcb4.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.A1DB2JVWGG.CNT.exe.4886c28.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: JUNE STUB.EXE.12.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: JUNE STUB.EXE.12.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: JUNE STUB.EXE.12.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: dhcpmon.exe.19.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: dhcpmon.exe.19.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: dhcpmon.exe.19.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 19.0.JUNE STUB.EXE.cc0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 19.0.JUNE STUB.EXE.cc0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 19.0.JUNE STUB.EXE.cc0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: A1DB2JVWGG.CNT.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source: A1DB2JVWGG.CNT.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: A1DB2JVWGG.CNT.exe

Static file information: File size 2223104 > 1048576

Source: A1DB2JVWGG.CNT.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1b4600

Source: A1DB2JVWGG.CNT.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: A1DB2JVWGG.CNT.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: hC:\Windows\System.pdb source: JUNE STUB.EXE, 00000013.00000002.638522361.00000000069BC000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: TIvm.pdbSHA256p source: A1DB2JVWGG.CNT.exe, msdcsc.exe.12.dr, JXayEzy.exe.0.dr
Source:	Binary string: TIvm.pdb source: A1DB2JVWGG.CNT.exe, msdcsc.exe.12.dr, JXayEzy.exe.0.dr
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: JUNE STUB.EXE, 00000013.00000002.639756642.0000000006C60000.00000004.08000000.00040000.00000000.sdmp, JUNE STUB.EXE, 00000013.00000002.625066874.00000000033FB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: JUNE STUB.EXE, 00000013.00000003.487501423.0000000006B70000.00000004.00000020.00020000.00000000.sdmp, JUNE STUB.EXE, 00000013.00000003.483018653.0000000006B6C000.00000004.00000020.00020000.00000000.sdmp, JUNE STUB.EXE, 00000013.00000003.474665549.0000000006B65000.00000004.00000020.00020000.00000000.sdmp, JUNE STUB.EXE, 00000013.00000003.510762326.0000000006B6C000.00000004.00000020.00020000.00000000.sdmp, JUNE STUB.EXE, 00000013.00000003.448971012.0000000006B6E000.00000004.00000020.00020000.00000000.sdmp, JUNE STUB.EXE, 00000013.00000003.506714700.0000000006B71000.00000004.00000020.00020000.00000000.sdmp, JUNE STUB.EXE, 00000013.00000003.497686142.0000000006B6C000.00000004.00000020.00020000.00000000.sdmp, JUNE STUB.EXE, 00000013.00000003.455711807.0000000006B6E000.00000004.00000020.00020000.00000000.sdmp, JUNE STUB.EXE, 00000013.00000003.460528968.0000000006B6E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: JUNE STUB.EXE, 00000013.00000002.625066874.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, JUNE STUB.EXE, 00000013.00000002.640130436.0000000006C90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: JUNE STUB.EXE, 00000013.00000002.625066874.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, JUNE STUB.EXE, 00000013.00000002.640312728.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: JUNE STUB.EXE, 00000013.00000002.625066874.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, JUNE STUB.EXE, 00000013.00000002.639572623.0000000006C40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: indows\System.pdbpdbtem.pdb source: JUNE STUB.EXE, 00000013.00000002.624951060.0000000003055000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdb source: JUNE STUB.EXE, 00000013.00000002.624951060.0000000003055000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: JUNE STUB.EXE, 00000013.00000002.625066874.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, JUNE STUB.EXE, 00000013.00000002.640195396.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: indows\dll\System.pdb source: JUNE STUB.EXE, 00000013.00000002.624951060.0000000003055000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: JUNE STUB.EXE, 00000013.00000002.624951060.0000000003055000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: JUNE STUB.EXE, 00000013.00000002.625066874.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, JUNE STUB.EXE, 00000013.00000002.640048341.0000000006C80000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: JUNE STUB.EXE, 00000013.00000002.624951060.0000000003055000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdb source: JUNE STUB.EXE, 00000013.00000002.624951060.0000000003055000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: JUNE STUB.EXE.12.dr, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: JUNE STUB.EXE.12.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: dhcpmon.exe.19.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: dhcpmon.exe.19.dr, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 19.0.JUNE STUB.EXE.cc0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 19.0.JUNE STUB.EXE.cc0000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 0_2_078565E5 push edi; retf
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 0_2_078561EA push edx; iretd
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 12_2_004186D4 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 12_2_0048F0AC push 0048F125h; ret
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 12_2_0048F6D4 push 0048F761h; ret
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 12_2_00482058 push 004820C2h; ret
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 12_2_0045E078 push 0045E0DEh; ret
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 12_2_004220E0 push ecx; mov dword ptr [esp], ecx
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 12_2_004660F8 push 00466130h; ret
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 12_2_0042E138 push 0042E170h; ret
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 12_2_004741C4 push 00474206h; ret
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 12_2_004041DC push eax; ret
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 12_2_0046224C push 00462284h; ret
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 12_2_00464228 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 12_2_004482C4 push 0044832Eh; ret
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 12_2_0041632A push 004163A2h; ret
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 12_2_0041632C push 004163A2h; ret
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 12_2_0048E3AC push 0048E3DCh; ret
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 12_2_0046E3A0 push 0046E3EDh; ret
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 12_2_004204E4 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 12_2_004086CC push 0040870Eh; ret
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 12_2_0044A74C push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 12_2_004107FC push 00410828h; ret
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 12_2_0042E8B8 push 0042E8E4h; ret
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 12_2_00430910 push 00430970h; ret
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 12_2_00422924 push 00422967h; ret
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 12_2_00418930 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 12_2_0044A9F0 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 12_2_0045E988 push 0045E9B4h; ret
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 12_2_00418A50 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: 12_2_00460A20 push 00460A53h; ret

Source: initial sample	Static PE information: section name: .text entropy: 7.897532048001292
Source: initial sample	Static PE information: section name: .text entropy: 7.897532048001292
Source: initial sample	Static PE information: section name: .text entropy: 7.897532048001292

Source: JUNE STUB.EXE.12.dr, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: JUNE STUB.EXE.12.dr, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: dhcpmon.exe.19.dr, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: dhcpmon.exe.19.dr, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 19.0.JUNE STUB.EXE.cc0000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 19.0.JUNE STUB.EXE.cc0000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\SysWOW64\cmd.exe	Process created: attrib.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: attrib.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: attrib.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: attrib.exe

Drops PE files to the document folder of the user

Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe

File created: C:\Users\user\Documents\MSDCSC\msdcsc.exe

Jump to dropped file

Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	File created: C:\Users\user\AppData\Roaming\JXayEzy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	File created: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	File created: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXayEzy" /XML "C:\Users\user\AppData\Local\Temp\tmp12D0.tmp

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserInit

Jump to behavior

Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc

Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run chrome			Jump to behavior
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run chrome			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\SysWOW64\notepad.exe

File deleted: c:\users\user\desktop\a1db2jvwgg.cnt.exe

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE

File opened: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE:Zone.Identifier read attributes | delete

Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe TID: 7464	Thread sleep time: -38157s >= -30000s
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe TID: 7480	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe TID: 7512	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7620	Thread sleep count: 9151 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7792	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7828	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe TID: 7812	Thread sleep time: -38157s >= -30000s
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe TID: 7932	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE TID: 5828	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE TID: 5884	Thread sleep time: -640000s >= -30000s
Source: C:\Windows\SysWOW64\notepad.exe TID: 7272	Thread sleep time: -33000s >= -30000s
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe TID: 5824	Thread sleep time: -38157s >= -30000s
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe TID: 7276	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe TID: 7304	Thread sleep time: -38157s >= -30000s
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe TID: 3360	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe TID: 5712	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8104	Thread sleep count: 8724 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6216	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6220	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe TID: 7040	Thread sleep time: -4840000s >= -30000s
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7560	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE TID: 7180	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\notepad.exe TID: 8140	Thread sleep count: 160 > 30
Source: C:\Windows\SysWOW64\notepad.exe TID: 8140	Thread sleep time: -80000s >= -30000s
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe TID: 5728	Thread sleep time: -38157s >= -30000s
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe TID: 5724	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\notepad.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\notepad.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9151
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9106
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Window / User API: foregroundWindowGot 459
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Window / User API: foregroundWindowGot 439
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8724
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8798
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Window / User API: threadDelayed 484

Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Thread delayed: delay time: 38157
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	Thread delayed: delay time: 38157
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Thread delayed: delay time: 38157
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Thread delayed: delay time: 38157
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Thread delayed: delay time: 38157
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	File opened: C:\Users\user
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	File opened: C:\Users\user\AppData
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer

Source: A1DB2JVWGG.CNT.exe, 00000000.00000003.371680748.0000000008D60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:ymX
Source: A1DB2JVWGG.CNT.exe, 0000000C.00000002.399046925.00000000013B8000.00000004.00000020.00020000.00000000.sdmp, JUNE STUB.EXE, 00000013.00000003.422343833.0000000001367000.00000004.00000020.00020000.00000000.sdmp, msdcsc.exe, 00000020.00000002.621201902.0000000001008000.00000004.00000020.00020000.00000000.sdmp, msdcsc.exe, 00000027.00000002.465835536.0000000001108000.00000004.00000020.00020000.00000000.sdmp, msdcsc.exe, 0000002B.00000002.505886433.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	Process token adjusted: Debug
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 9C0000 protect: page execute and read and write
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 9D0000 protect: page execute and read and write
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 8C0000 protect: page execute and read and write
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: D20000 protect: page execute and read and write
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: D70000 protect: page execute and read and write
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: D90000 protect: page execute and read and write
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 31B0000 protect: page execute and read and write
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 31C0000 protect: page execute and read and write
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 31D0000 protect: page execute and read and write
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 4920000 protect: page execute and read and write
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 4930000 protect: page execute and read and write
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 49C0000 protect: page execute and read and write
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 6620000 protect: page execute and read and write
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 6630000 protect: page execute and read and write
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 380000 protect: page execute and read and write
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 800000 protect: page execute and read and write
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 9A0000 protect: page execute and read and write
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 9B0000 protect: page execute and read and write
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: B70000 protect: page execute and read and write
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: B80000 protect: page execute and read and write
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: DC0000 protect: page execute and read and write
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 4240000 protect: page execute and read and write
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 4260000 protect: page execute and read and write
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 4850000 protect: page execute and read and write
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 4860000 protect: page execute and read and write
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 5AC0000 protect: page execute and read and write
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 5AD0000 protect: page execute and read and write
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 5AE0000 protect: page execute and read and write
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 5AF0000 protect: page execute and read and write
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 5B00000 protect: page execute and read and write
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 5B90000 protect: page execute and read and write
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 5BA0000 protect: page execute and read and write
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Memory allocated: C:\Windows\SysWOW64\notepad.exe base: 5BB0000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe

Memory written: C:\Users\user\Documents\MSDCSC\msdcsc.exe base: 400000 value starts with: 4D5A

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Thread created: C:\Windows\SysWOW64\notepad.exe EIP: 6630000
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Thread created: C:\Windows\SysWOW64\notepad.exe EIP: 5BB0000

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JXayEzy.exe
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Documents\MSDCSC\msdcsc.exe
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JXayEzy.exe
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JXayEzy.exe
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Documents\MSDCSC\msdcsc.exe
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JXayEzy.exe

Writes to foreign memory regions

Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 9C0000
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 9D0000
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 8C0000
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: D20000
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: D70000
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: D90000
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 31B0000
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 31C0000
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 31D0000
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 4920000
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 4930000
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 49C0000
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 6620000
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 6630000
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 380000
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 800000
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 9A0000
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 9B0000
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: B70000
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: B80000
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: DC0000
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 4240000
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 4260000
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 4850000
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 4860000
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 5AC0000
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 5AD0000
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 5AE0000
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 5AF0000
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 5B00000
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 5B90000
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 5BA0000
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Memory written: C:\Windows\SysWOW64\notepad.exe base: 5BB0000

Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JXayEzy.exe
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXayEzy" /XML "C:\Users\user\AppData\Local\Temp\tmp12D0.tmp
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process created: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process created: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process created: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process created: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe" +s +h
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\user\Desktop" +s +h
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process created: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE "C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE"
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Process created: C:\Users\user\Documents\MSDCSC\msdcsc.exe "C:\Users\user\Documents\MSDCSC\msdcsc.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib "C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe" +s +h
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib "C:\Users\user\Desktop" +s +h
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Documents\MSDCSC\msdcsc.exe
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JXayEzy.exe
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXayEzy" /XML "C:\Users\user\AppData\Local\Temp\tmp5A49.tmp
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process created: C:\Users\user\Documents\MSDCSC\msdcsc.exe C:\Users\user\Documents\MSDCSC\msdcsc.exe
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process created: C:\Users\user\Documents\MSDCSC\msdcsc.exe C:\Users\user\Documents\MSDCSC\msdcsc.exe
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXayEzy" /XML "C:\Users\user\AppData\Local\Temp\tmp9C72.tmp
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process created: C:\Users\user\Documents\MSDCSC\msdcsc.exe C:\Users\user\Documents\MSDCSC\msdcsc.exe
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process created: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE "C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE"
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXayEzy" /XML "C:\Users\user\AppData\Local\Temp\tmpE34F.tmp
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process created: C:\Users\user\Documents\MSDCSC\msdcsc.exe C:\Users\user\Documents\MSDCSC\msdcsc.exe
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Process created: C:\Users\user\Documents\MSDCSC\msdcsc.exe C:\Users\user\Documents\MSDCSC\msdcsc.exe

Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, msdcsc.exe, 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Shell_traywndTrayNotifyWndTrayClockWClassjh<
Source: JUNE STUB.EXE, 00000013.00000003.601968985.0000000006B32000.00000004.00000020.00020000.00000000.sdmp, JUNE STUB.EXE, 00000013.00000003.613938133.0000000006B5B000.00000004.00000020.00020000.00000000.sdmp, JUNE STUB.EXE, 00000013.00000003.474665549.0000000006B5C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: JUNE STUB.EXE, 00000013.00000002.625066874.00000000035B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerp
Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, msdcsc.exe, 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndjjh
Source: JUNE STUB.EXE, 00000013.00000002.625066874.00000000036C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerT
Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, msdcsc.exe, 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Shell_traywndTrayNotifyWndjh
Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, msdcsc.exe, 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ProgmanU
Source: JUNE STUB.EXE, 00000013.00000003.615100465.00000000013A5000.00000004.00000020.00020000.00000000.sdmp, JUNE STUB.EXE, 00000013.00000003.488108905.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, JUNE STUB.EXE, 00000013.00000003.572873799.00000000013A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerter2
Source: JUNE STUB.EXE, 00000013.00000003.601968985.0000000006B32000.00000004.00000020.00020000.00000000.sdmp, JUNE STUB.EXE, 00000013.00000003.587753773.0000000006B32000.00000004.00000020.00020000.00000000.sdmp, JUNE STUB.EXE, 00000013.00000002.638759890.0000000006B32000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerD:{00000339-0000-0000-C000-000000000046} Flags:17 IID:{00000000-0000-0000-C000-000000000046}
Source: JUNE STUB.EXE, 00000013.00000003.436993571.0000000001375000.00000004.00000020.00020000.00000000.sdmp, JUNE STUB.EXE, 00000013.00000003.488108905.0000000001374000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager\U
Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, msdcsc.exe, 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Shell_traywndReBarWindow32jh
Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, msdcsc.exe, 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Shell_traywndReBarWindow32jhD
Source: JUNE STUB.EXE, 00000013.00000003.613938133.0000000006B30000.00000004.00000020.00020000.00000000.sdmp, JUNE STUB.EXE, 00000013.00000003.601968985.0000000006B30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managern has been aborted because of either a thread exit or an application request.
Source: JUNE STUB.EXE, 00000013.00000002.625066874.00000000035B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerD
Source: A1DB2JVWGG.CNT.exe, A1DB2JVWGG.CNT.exe, 0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, msdcsc.exe, 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: A1DB2JVWGG.CNT.exe, A1DB2JVWGG.CNT.exe, 0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, msdcsc.exe, 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Progman
Source: JUNE STUB.EXE, 00000013.00000002.625066874.00000000036C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerL
Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, msdcsc.exe, 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Progmanjhh
Source: msdcsc.exe, 00000020.00000002.621201902.0000000001034000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerQp,
Source: msdcsc.exe, 00000020.00000002.621201902.0000000001034000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager@p=
Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, msdcsc.exe, 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ButtonShell_TrayWndj
Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, msdcsc.exe, 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Shell_traywndTrayNotifyWndTrayClockWClassjh
Source: A1DB2JVWGG.CNT.exe, A1DB2JVWGG.CNT.exe, 0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, msdcsc.exe, 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Shell_traywnd
Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, msdcsc.exe, 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndPjjh

Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,GetLocaleInfoA,LoadLibraryExA,LoadLibraryExA,
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Code function: GetLocaleInfoA,LoadLibraryExA,LoadLibraryExA,

Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	Queries volume information: C:\Users\user\AppData\Roaming\JXayEzy.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\JXayEzy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Queries volume information: C:\Users\user\Documents\MSDCSC\msdcsc.exe VolumeInformation
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Queries volume information: C:\Users\user\Documents\MSDCSC\msdcsc.exe VolumeInformation
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Queries volume information: C:\Users\user\Documents\MSDCSC\msdcsc.exe VolumeInformation
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center AntiVirusDisableNotify

Disables the Windows task manager (taskmgr)

Source: C:\Users\user\Documents\MSDCSC\msdcsc.exe

Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr

Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: 22.2.msdcsc.exe.504a4f4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3a22a45.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3a1e41c.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.JUNE STUB.EXE.5d10000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.msdcsc.exe.4b4dcb4.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.A1DB2JVWGG.CNT.exe.4b1b0d4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.A1DB2JVWGG.CNT.exe.4b1b0d4.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.msdcsc.exe.4126b74.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.msdcsc.exe.4b4dcb4.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3a1e41c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.JUNE STUB.EXE.5d14629.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.A1DB2JVWGG.CNT.exe.4ad84c.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.JUNE STUB.EXE.cc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.A1DB2JVWGG.CNT.exe.41a691c.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.JUNE STUB.EXE.5d10000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.A1DB2JVWGG.CNT.exe.4ad84c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.msdcsc.exe.504a4f4.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3a195e6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.msdcsc.exe.4126b74.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.A1DB2JVWGG.CNT.exe.4886c28.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.A1DB2JVWGG.CNT.exe.41a691c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000021.00000002.456486839.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.459239135.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.391419117.0000000000CC2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.637176007.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.470317430.0000000004126000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.454672045.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.397292430.00000000004A4000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.486347814.0000000005049000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JUNE STUB.EXE PID: 8176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: msdcsc.exe PID: 5860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: msdcsc.exe PID: 7264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JUNE STUB.EXE PID: 8152, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED

Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Directory queried: C:\Users\user\Documents\MSDCSC
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe	Directory queried: C:\Users\user\Documents\MSDCSC

Remote Access Functionality

Detected Nanocore Rat

Source: A1DB2JVWGG.CNT.exe, 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: A1DB2JVWGG.CNT.exe, 0000000C.00000002.397292430.00000000004A4000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: JUNE STUB.EXE, 00000013.00000002.639756642.0000000006C60000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: JUNE STUB.EXE, 00000013.00000002.640822750.0000000006D00000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: JUNE STUB.EXE, 00000013.00000002.625066874.00000000033FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: JUNE STUB.EXE, 00000013.00000002.625066874.00000000033FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: JUNE STUB.EXE, 00000013.00000002.625066874.00000000033FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: JUNE STUB.EXE, 00000013.00000002.625066874.00000000033FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: JUNE STUB.EXE, 00000013.00000002.625066874.00000000033FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: JUNE STUB.EXE, 00000013.00000002.640582585.0000000006CE0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: JUNE STUB.EXE, 00000013.00000002.639572623.0000000006C40000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: JUNE STUB.EXE, 00000013.00000002.639572623.0000000006C40000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: JUNE STUB.EXE, 00000013.00000002.639327601.0000000006C10000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: JUNE STUB.EXE, 00000013.00000002.640048341.0000000006C80000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: JUNE STUB.EXE, 00000013.00000002.640048341.0000000006C80000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: JUNE STUB.EXE, 00000013.00000000.391419117.0000000000CC2000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: JUNE STUB.EXE, 00000013.00000002.640453706.0000000006CD0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: JUNE STUB.EXE, 00000013.00000002.640195396.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: JUNE STUB.EXE, 00000013.00000002.639417055.0000000006C20000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: JUNE STUB.EXE, 00000013.00000002.640312728.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: JUNE STUB.EXE, 00000013.00000002.640312728.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: JUNE STUB.EXE, 00000013.00000002.640130436.0000000006C90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: JUNE STUB.EXE, 00000013.00000002.640130436.0000000006C90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: JUNE STUB.EXE, 00000013.00000002.631531483.0000000004515000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: JUNE STUB.EXE, 00000013.00000002.637176007.0000000005D10000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: JUNE STUB.EXE, 00000013.00000002.625066874.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: JUNE STUB.EXE, 00000013.00000002.625066874.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: JUNE STUB.EXE, 00000013.00000002.641220331.0000000006D30000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: JUNE STUB.EXE, 00000013.00000002.631531483.000000000441F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: JUNE STUB.EXE, 00000013.00000002.636982367.0000000005A80000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: JUNE STUB.EXE, 00000013.00000002.636982367.0000000005A80000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: msdcsc.exe, 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: msdcsc.exe, 00000016.00000002.486347814.0000000005049000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000021.00000002.456486839.00000000039D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000021.00000002.456486839.00000000039D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 00000021.00000002.454672045.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 00000021.00000002.454672045.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: JUNE STUB.EXE, 00000022.00000002.459239135.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: JUNE STUB.EXE, 00000022.00000002.459239135.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: JUNE STUB.EXE.12.dr	String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe.19.dr	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Source: Yara match	File source: 22.2.msdcsc.exe.504a4f4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3a22a45.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3a1e41c.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.JUNE STUB.EXE.5d10000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.msdcsc.exe.4b4dcb4.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.A1DB2JVWGG.CNT.exe.4b1b0d4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.A1DB2JVWGG.CNT.exe.4b1b0d4.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.msdcsc.exe.4126b74.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.msdcsc.exe.4b4dcb4.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3a1e41c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.JUNE STUB.EXE.5d14629.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.A1DB2JVWGG.CNT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.A1DB2JVWGG.CNT.exe.4ad84c.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.JUNE STUB.EXE.cc0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.A1DB2JVWGG.CNT.exe.41a691c.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.JUNE STUB.EXE.5d10000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.A1DB2JVWGG.CNT.exe.4a4e894.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.A1DB2JVWGG.CNT.exe.4ad84c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.msdcsc.exe.504a4f4.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.dhcpmon.exe.3a195e6.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.msdcsc.exe.4126b74.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.A1DB2JVWGG.CNT.exe.4886c28.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.A1DB2JVWGG.CNT.exe.41a691c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000021.00000002.456486839.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.459239135.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.391419117.0000000000CC2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.637176007.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.470317430.0000000004126000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.454672045.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.397292430.00000000004A4000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.486347814.0000000005049000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: A1DB2JVWGG.CNT.exe PID: 7948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JUNE STUB.EXE PID: 8176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: msdcsc.exe PID: 5860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: msdcsc.exe PID: 7264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JUNE STUB.EXE PID: 8152, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	1 LSASS Driver	1 LSASS Driver	31 Disable or Modify Tools	121 Input Capture	12 File and Directory Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	LSASS Memory	22 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Scheduled Task/Job	1 Windows Service	1 Access Token Manipulation	4 Obfuscated Files or Information	Security Account Manager	111 Security Software Discovery	SMB/Windows Admin Shares	121 Input Capture	Automated Exfiltration	1 Remote Access Software	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	1 Scheduled Task/Job	1 Windows Service	13 Software Packing	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	11 Registry Run Keys / Startup Folder	412 Process Injection	1 DLL Side-Loading	LSA Secrets	21 Virtualization/Sandbox Evasion	SSH	Keylogging	Data Transfer Size Limits	21 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	1 Scheduled Task/Job	1 File Deletion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	11 Registry Run Keys / Startup Folder	2 Masquerading	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	21 Virtualization/Sandbox Evasion	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Access Token Manipulation	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	412 Process Injection	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	1 Hidden Files and Directories	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
A1DB2JVWGG.CNT.exe	22%	ReversingLabs	Win32.Trojan.Generic
A1DB2JVWGG.CNT.exe	30%	Virustotal		Browse
A1DB2JVWGG.CNT.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	100%	Avira	TR/Dropper.MSIL.Gen7
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Avira	TR/Dropper.MSIL.Gen7
C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	100%	Joe Sandbox ML
C:\Users\user\Documents\MSDCSC\msdcsc.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\JXayEzy.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\JXayEzy.exe	27%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\Documents\MSDCSC\msdcsc.exe	27%	ReversingLabs	Win32.Trojan.Generic

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
timmy08.ddns.net	13%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.founder.com.cn/cnK	0%	URL Reputation	safe
http://www.founder.com.cn/cnK	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/H	0%	URL Reputation	safe
http://www.founder.com.cn/cnU	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/3	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/3	0%	URL Reputation	safe
http://www.founder.com.cn/cnw	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/m	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/%	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.founder.com.cn/cnd	0%	URL Reputation	safe
http://www.carterandcone.comtig	0%	URL Reputation	safe
http://www.founder.com.cn/cn/H	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/A	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://en.wikip	0%	URL Reputation	safe
http://www.carterandcone.comto	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn-	0%	URL Reputation	safe
http://www.founder.com.cn/cn9	0%	URL Reputation	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/_	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/_	0%	URL Reputation	safe
http://www.fontbureau.comceu3	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/r-f	0%	Avira URL Cloud	safe
timmy06.ddns.net	100%	Avira URL Cloud	malware
timmy08.ddns.net	100%	Avira URL Cloud	malware
timmy08.ddns.net	13%	Virustotal		Browse
http://www.jiyu-kobo.co.jp/r-f	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
timmy08.ddns.net	5.252.165.230	true	true	13%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
timmy08.ddns.net	true	13%, Virustotal, Browse Avira URL Cloud: malware	unknown
timmy06.ddns.net	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cnK	A1DB2JVWGG.CNT.exe, 00000000.00000003.358248155.0000000005DBC000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comceu3	A1DB2JVWGG.CNT.exe, 00000000.00000003.384541193.0000000005DB0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/bThe	A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/jp/H	A1DB2JVWGG.CNT.exe, 00000000.00000003.359124042.0000000005DB7000.00000004.00000020.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 00000000.00000003.359247918.0000000005DB7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnU	A1DB2JVWGG.CNT.exe, 00000000.00000003.358248155.0000000005DBC000.00000004.00000020.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 00000000.00000003.358336012.0000000005DBC000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.com	A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://google.com	JUNE STUB.EXE, 00000013.00000002.625066874.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, JUNE STUB.EXE, 00000013.00000002.640195396.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp	false		high
http://www.sajatypeworks.com	A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/3	A1DB2JVWGG.CNT.exe, 00000000.00000003.359124042.0000000005DB7000.00000004.00000020.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 00000000.00000003.359247918.0000000005DB7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/r-f	A1DB2JVWGG.CNT.exe, 00000000.00000003.359124042.0000000005DB7000.00000004.00000020.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 00000000.00000003.359247918.0000000005DB7000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cnw	A1DB2JVWGG.CNT.exe, 00000000.00000003.358248155.0000000005DBC000.00000004.00000020.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 00000000.00000003.358336012.0000000005DBC000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/m	A1DB2JVWGG.CNT.exe, 00000000.00000003.359124042.0000000005DB7000.00000004.00000020.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 00000000.00000003.359247918.0000000005DB7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/%	A1DB2JVWGG.CNT.exe, 00000000.00000003.359124042.0000000005DB7000.00000004.00000020.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 00000000.00000003.359247918.0000000005DB7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr	A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	A1DB2JVWGG.CNT.exe, 00000000.00000002.392562881.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, msdcsc.exe, 00000015.00000002.442690195.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, msdcsc.exe, 00000016.00000002.475372371.00000000033B7000.00000004.00000800.00020000.00000000.sdmp, msdcsc.exe, 00000024.00000002.512029267.0000000003097000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnd	A1DB2JVWGG.CNT.exe, 00000000.00000003.358248155.0000000005DBC000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comtig	A1DB2JVWGG.CNT.exe, 00000000.00000003.358704115.0000000005DB3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 00000000.00000003.384541193.0000000005DB0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/H	A1DB2JVWGG.CNT.exe, 00000000.00000003.358336012.0000000005DBC000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/A	A1DB2JVWGG.CNT.exe, 00000000.00000003.359124042.0000000005DB7000.00000004.00000020.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 00000000.00000003.359247918.0000000005DB7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	A1DB2JVWGG.CNT.exe, 00000000.00000003.359124042.0000000005DB7000.00000004.00000020.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 00000000.00000003.359247918.0000000005DB7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://en.wikip	A1DB2JVWGG.CNT.exe, 00000000.00000003.358071188.0000000005DBE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comto	A1DB2JVWGG.CNT.exe, 00000000.00000003.358704115.0000000005DB3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	A1DB2JVWGG.CNT.exe, 00000000.00000003.358248155.0000000005DBC000.00000004.00000020.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 00000000.00000003.358336012.0000000005DBC000.00000004.00000020.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn-	A1DB2JVWGG.CNT.exe, 00000000.00000003.358248155.0000000005DBC000.00000004.00000020.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 00000000.00000003.358336012.0000000005DBC000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn9	A1DB2JVWGG.CNT.exe, 00000000.00000003.358248155.0000000005DBC000.00000004.00000020.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 00000000.00000003.358336012.0000000005DBC000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comm	A1DB2JVWGG.CNT.exe, 00000000.00000002.441627539.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 00000000.00000003.384541193.0000000005DB0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	A1DB2JVWGG.CNT.exe, 00000000.00000003.359124042.0000000005DB7000.00000004.00000020.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 00000000.00000003.359247918.0000000005DB7000.00000004.00000020.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	A1DB2JVWGG.CNT.exe, 00000000.00000002.441824981.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/_	A1DB2JVWGG.CNT.exe, 00000000.00000003.359124042.0000000005DB7000.00000004.00000020.00020000.00000000.sdmp, A1DB2JVWGG.CNT.exe, 00000000.00000003.359247918.0000000005DB7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
5.252.165.230	timmy08.ddns.net	United States		64271	RIXCLOUD-INCUS	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	880328
Start date and time:	2023-06-02 02:25:31 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 57s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	46
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	A1DB2JVWGG.CNT.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@67/28@15/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 99.9% (good quality ratio 90.6%) Quality average: 72.7% Quality standard deviation: 31.8%
HCA Information:	Successful, ratio: 98% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, WmiPrvSE.exe
TCP Packets have been reduced to 100
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:26:28	API Interceptor	2x Sleep call for process: A1DB2JVWGG.CNT.exe modified
02:26:32	Task Scheduler	Run new task: JXayEzy path: C:\Users\user\AppData\Roaming\JXayEzy.exe
02:26:32	API Interceptor	131x Sleep call for process: powershell.exe modified
02:26:39	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run chrome C:\Users\user\Documents\MSDCSC\msdcsc.exe
02:26:41	API Interceptor	459x Sleep call for process: JUNE STUB.EXE modified
02:26:46	API Interceptor	752x Sleep call for process: msdcsc.exe modified
02:26:47	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
02:26:57	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run chrome C:\Users\user\Documents\MSDCSC\msdcsc.exe
02:27:03	API Interceptor	1x Sleep call for process: JXayEzy.exe modified

Process:	C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	207360
Entropy (8bit):	7.448476558203999
Encrypted:	false
SSDEEP:	6144:gLV6Bta6dtJmakIM5W4w9QT09e8iCp1Tz5kl7:gLV6BtpmkjIIc8iCp1P5kl7
MD5:	4D9AC7D6E684CD3874B662971B6BC536
SHA1:	726CD96B680082910EBC451D7741A2D6934ED339
SHA-256:	48987956556721DFB5F988683693BEBC094B5965F6BD58EEFF928FD7C6BA9330
SHA-512:	27DDC60B921ED3B6B9223321EA310FA6CE9A3F4D0CB1B96899FC8FB08556D73F92FB3EC7DA93A60DE046105129B1B128828D5AB57869160749A5F7F2A7A8AB71
Malicious:	true
Yara Hits:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Joe Security Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: ditekSHen Rule: NanoCore, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: unknown
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................`........... ........@.. ......................................................................8...W.... ...]........................................................................... ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc....]... ...^..................@..@................t.......H...........T............................................................0..Q........o5........o6....-.&......3+..+.... ....3......1..... 2.... ....3.... ............0..E.......s7....-(&s8....-&&s9....,$&s:........s;.............+.....+.....+.....0..........~....o<.....0..........~....o=.....0..........~....o>.....0..........~....o?.....0..........~....o@.....0.............-.&(A...&+...0..$.......~B........-.(...+.-.&+..B...+.~B....0.............-.&(A...&+...0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\JUNE STUB.EXE.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.2874233355119316
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
MD5:	61CCF53571C9ABA6511D696CB0D32E45
SHA1:	A13A42A20EC14942F52DB20FB16A0A520F8183CE
SHA-256:	3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
SHA-512:	90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
Malicious:	false
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log

Download File

Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	525
Entropy (8bit):	5.2874233355119316
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
MD5:	61CCF53571C9ABA6511D696CB0D32E45
SHA1:	A13A42A20EC14942F52DB20FB16A0A520F8183CE
SHA-256:	3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
SHA-512:	90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
Malicious:	false
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\A1DB2JVWGG.CNT.exe.log

Download File

Process:	C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1302
Entropy (8bit):	5.3499841584777394
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84bE4Ks:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	4664C2114894A4BFC1E657FC08C72FF4
SHA1:	95A1E14E2AD65BCA561261DA3899074BF5276AED
SHA-256:	6E36229D13672B4304C696812B365F2E5657875DD0E11F13AE010566CC87607A
SHA-512:	4E7862716D5C0BC2174E819BAB329A2974FE83A36D5417EE732AB2F3D77D95620B3D462A1C9608F5FE90A48030140DE53DB642F8C370CD8E191BDBE83C638CA1
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\JXayEzy.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\JXayEzy.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\msdcsc.exe.log

Download File

Process:	C:\Users\user\Documents\MSDCSC\msdcsc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1302
Entropy (8bit):	5.3499841584777394
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84bE4Ks:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	4664C2114894A4BFC1E657FC08C72FF4
SHA1:	95A1E14E2AD65BCA561261DA3899074BF5276AED
SHA-256:	6E36229D13672B4304C696812B365F2E5657875DD0E11F13AE010566CC87607A
SHA-512:	4E7862716D5C0BC2174E819BAB329A2974FE83A36D5417EE732AB2F3D77D95620B3D462A1C9608F5FE90A48030140DE53DB642F8C370CD8E191BDBE83C638CA1
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	21860
Entropy (8bit):	5.5972826889109575
Encrypted:	false
SSDEEP:	384:WtCRLq0DKA7vZF+0oj8nYSBxouleWiJ9glSJ3uyzSv0ZqbAVrd3sffBT+iRYc:5V0diY4iuleOlcuBs4wk+c
MD5:	0053A5FE80C85D084F9273222792DE1C
SHA1:	E9518C301A6C283676FF55B86C23831F40AF019E
SHA-256:	22B5F051CEE4CC570A86DB41F8F1ADADEF798462A25C27A8B7B7AA382288881A
SHA-512:	3BC8313C2DBE0AF84FB75700F85E81A79BD58F65AB9694DA7D09B5FC392CC8316F779036E242658BF691BC5752F980881763DBC3A9D58C5350A95668D6347012
Malicious:	false
Preview:	@...e...................c.f...............D..........@..........H...............<@.^.L."My...:P..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE

Download File

Process:	C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	207360
Entropy (8bit):	7.448476558203999
Encrypted:	false
SSDEEP:	6144:gLV6Bta6dtJmakIM5W4w9QT09e8iCp1Tz5kl7:gLV6BtpmkjIIc8iCp1P5kl7
MD5:	4D9AC7D6E684CD3874B662971B6BC536
SHA1:	726CD96B680082910EBC451D7741A2D6934ED339
SHA-256:	48987956556721DFB5F988683693BEBC094B5965F6BD58EEFF928FD7C6BA9330
SHA-512:	27DDC60B921ED3B6B9223321EA310FA6CE9A3F4D0CB1B96899FC8FB08556D73F92FB3EC7DA93A60DE046105129B1B128828D5AB57869160749A5F7F2A7A8AB71
Malicious:	true
Yara Hits:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE, Author: Joe Security Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE, Author: ditekSHen Rule: NanoCore, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE, Author: unknown
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................`........... ........@.. ......................................................................8...W.... ...]........................................................................... ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc....]... ...^..................@..@................t.......H...........T............................................................0..Q........o5........o6....-.&......3+..+.... ....3......1..... 2.... ....3.... ............0..E.......s7....-(&s8....-&&s9....,$&s:........s;.............+.....+.....+.....0..........~....o<.....0..........~....o=.....0..........~....o>.....0..........~....o?.....0..........~....o@.....0.............-.&(A...&+...0..$.......~B........-.(...+.-.&+..B...+.~B....0.............-.&(A...&+...0..

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2dokkkyb.5a3.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ccef3fwz.eck.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d5tgwwwd.pky.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hzblhftc.ghg.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kq5n4yzc.iw1.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qo2objni.hng.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uzgv2wkw.yz4.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wdxwza43.sz1.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\tmp12D0.tmp

Download File

Process:	C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1594
Entropy (8bit):	5.151574547335532
Encrypted:	false
SSDEEP:	24:2di4+S2qh/Q1K1y1mokUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtSxvn:cge4MYrFdOFzOzN33ODOiDdKrsuTWv
MD5:	B8801377A791997FBC93D3EDC361C57F
SHA1:	CBC782BC13AAD45C48C7DE025F1478F065FF38BB
SHA-256:	EBBCB00843283918F69415DF2D0FE78D7239527A592F03E65F296EEE3F9FB4E4
SHA-512:	4A68B1BED4CEDE648A1AD0BE535DB587844AE8D69E742C49DA0F3EE0B01F3F983E96F21F77CE9CE69BC3204F57AA91B289253E25FF118B74FCDC1329A4004C49
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <

C:\Users\user\AppData\Local\Temp\tmp5A49.tmp

Download File

Process:	C:\Users\user\Documents\MSDCSC\msdcsc.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1594
Entropy (8bit):	5.151574547335532
Encrypted:	false
SSDEEP:	24:2di4+S2qh/Q1K1y1mokUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtSxvn:cge4MYrFdOFzOzN33ODOiDdKrsuTWv
MD5:	B8801377A791997FBC93D3EDC361C57F
SHA1:	CBC782BC13AAD45C48C7DE025F1478F065FF38BB
SHA-256:	EBBCB00843283918F69415DF2D0FE78D7239527A592F03E65F296EEE3F9FB4E4
SHA-512:	4A68B1BED4CEDE648A1AD0BE535DB587844AE8D69E742C49DA0F3EE0B01F3F983E96F21F77CE9CE69BC3204F57AA91B289253E25FF118B74FCDC1329A4004C49
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <

C:\Users\user\AppData\Local\Temp\tmp9C72.tmp

Download File

Process:	C:\Users\user\Documents\MSDCSC\msdcsc.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1594
Entropy (8bit):	5.151574547335532
Encrypted:	false
SSDEEP:	24:2di4+S2qh/Q1K1y1mokUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtSxvn:cge4MYrFdOFzOzN33ODOiDdKrsuTWv
MD5:	B8801377A791997FBC93D3EDC361C57F
SHA1:	CBC782BC13AAD45C48C7DE025F1478F065FF38BB
SHA-256:	EBBCB00843283918F69415DF2D0FE78D7239527A592F03E65F296EEE3F9FB4E4
SHA-512:	4A68B1BED4CEDE648A1AD0BE535DB587844AE8D69E742C49DA0F3EE0B01F3F983E96F21F77CE9CE69BC3204F57AA91B289253E25FF118B74FCDC1329A4004C49
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <

C:\Users\user\AppData\Local\Temp\tmpE34F.tmp

Download File

Process:	C:\Users\user\Documents\MSDCSC\msdcsc.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1594
Entropy (8bit):	5.151574547335532
Encrypted:	false
SSDEEP:	24:2di4+S2qh/Q1K1y1mokUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtSxvn:cge4MYrFdOFzOzN33ODOiDdKrsuTWv
MD5:	B8801377A791997FBC93D3EDC361C57F
SHA1:	CBC782BC13AAD45C48C7DE025F1478F065FF38BB
SHA-256:	EBBCB00843283918F69415DF2D0FE78D7239527A592F03E65F296EEE3F9FB4E4
SHA-512:	4A68B1BED4CEDE648A1AD0BE535DB587844AE8D69E742C49DA0F3EE0B01F3F983E96F21F77CE9CE69BC3204F57AA91B289253E25FF118B74FCDC1329A4004C49
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	7.024371743172393
Encrypted:	false
SSDEEP:	6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
MD5:	32D0AAE13696FF7F8AF33B2D22451028
SHA1:	EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
SHA-256:	5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
SHA-512:	1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:eWt:eWt
MD5:	628DD28222B41ED590BE807455B900F4
SHA1:	B2D20B6D905CDFA73EE48A63D68CDBC2CB95544E
SHA-256:	F55D454E585D202858EA0F2DC330BC6D72C2A80B89E8D307C1CDD1D007FDAA9B
SHA-512:	8FA90F6F764BD6504218CF1DC312B0CA15423B83386339D3030CEA23D33966B5C3F638A27D38DA418767BDC765EA9D409BE340D9DF76D726878BF85EA95C0AE4
Malicious:	true
Preview:	m.qyKc.H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin

Download File

Process:	C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	5.153055907333276
Encrypted:	false
SSDEEP:	3:9bzY6oRDT6P2bfVn1:RzWDT621
MD5:	4E5E92E2369688041CC82EF9650EDED2
SHA1:	15E44F2F3194EE232B44E9684163B6F66472C862
SHA-256:	F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
SHA-512:	1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
Malicious:	false
Preview:	9iH...}Z.4..f.~a........~.~.......3.U.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE
File Type:	data
Category:	dropped
Size (bytes):	426840
Entropy (8bit):	7.999608491116724
Encrypted:	true
SSDEEP:	12288:zKf137EiDsTjevgA4p0V7njXuWSvdVU7V4OC0Rr:+134i2lp67i5d8+OCg
MD5:	963D5E2C9C0008DFF05518B47C367A7F
SHA1:	C183D601FABBC9AC8FBFA0A0937DECC677535E74
SHA-256:	5EACF2974C9BB2C2E24CDC651C4840DD6F4B76A98F0E85E90279F1DBB2E6F3C0
SHA-512:	0C04E1C1A13070D48728D9F7F300D9B26DEC6EC8875D8D3017EAD52B9EE5BDF9B651A7F0FCC537761212831107646ED72B8ED017E7477E600BC0137EF857AE2C
Malicious:	false
Preview:	..g&jo...IPg...GM....R>i...o...I.>.&.r{....8...}...E....v.!7.u3e.. .....db...}.......".t(.xC9.cp.B....7...'.......%......w.^.._.......B.W%.<..i.0.{9.xS...5...)..w..$..C..?`F..u.5.T.X.w'Si..z.n{...Y!m...RA...xg....[7...z..9@.K.-...T..+.ACe....R....enO.....AoNMT.\^....}H&..4I...B.:..@..J...v..rI5..kP......2j....B..B.~.T..>.c..emW;Rn<9..[.r.o....R[....@=...:...L.g<.....I..%4[.G^.~.l'......v.p&.........+..S...9d/.{..H.`@.1..........f.\s...X.a.].<.h...J4...k.x....%3.......3.c..?%....>.!.}..)(.{...H...3..`'].Q.[sN..JX(.%pH....+......(...v.....H...3..8.a_..J..?4...y.N(..D.h..g.jD..I...44Q?..N......oX.A......l...n?./..........$.!..;.^9"H...........OkF....v.m_.e.v..f...."..bq{.....O.-....%R+...-..P.i..t5....2Z# ...#...,L..{..j..heT -=Z.P;...g.m)<owJ].J..../.p..8.u8.&..#.m9...j%..g&....g.x.I,....u.[....>./W...........X...bZ...ex.0..x.}.....Tb...[..H_M._.^N.d&...g._."@4N.pDs].GbT.......&p........Nw...%$=.....{..J.1....2....<E{..<!G..

C:\Users\user\AppData\Roaming\JXayEzy.exe

Download File

Process:	C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2223104
Entropy (8bit):	7.68131929551722
Encrypted:	false
SSDEEP:	24576:tA74/4qimDN0nixgBQcZ+WtGsK0i+CqBRCJcbpaa4S7qeL7pjhlyIy6Vs6wGpYUa:tA74/t6FQcZ+WRs+BRL4ShjTyIF
MD5:	A7817732EDED62797B0C5E9DA109EDD7
SHA1:	E7E868E8A529CDD6BD32B4FA3711EFF0C9029DBB
SHA-256:	95969E3E0C1793E6177D5C5D20C9A667C9F28BB64907AD489682C41668EFC29D
SHA-512:	3664953E0E5C601E8D8123C0B9F3F43D727BF6F48F81A93FED051D6F0D275728CEDA92ECEF201E4CDCEAC29C17CE66B46820A43A6DAC9FD4B77B6D54F226DB01
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 27%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F.xd..............0..F...........e... ........@.. .......................`"...........@.................................<e..O.......,....................@".....\&..T............................................ ............... ..H............text....E... ...F.................. ..`.rsrc...,............H..............@..@.reloc.......@".......!.............@..B................pe......H........K..$...........$...8/...........................................0..)........{.........(....t......\|......(...+...3.....0..)........{.........(....t......\|......(...+...3....}......}.....(.......(......{....o....&.0..$........r...pr7..p.. (...........,..(......0............{....o....&.{.....o......{....( ...o!.....{....( ...o!.....{....( ...o!.....{....( ...o!.....{....( ...o!.....{....( ...o!.....{....( ...o!....*...0..-.........{....o".....,..{.....o.....+..{...

C:\Users\user\AppData\Roaming\JXayEzy.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Documents\MSDCSC\msdcsc.exe

Download File

Process:	C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	2223104
Entropy (8bit):	7.68131929551722
Encrypted:	false
SSDEEP:	24576:tA74/4qimDN0nixgBQcZ+WtGsK0i+CqBRCJcbpaa4S7qeL7pjhlyIy6Vs6wGpYUa:tA74/t6FQcZ+WRs+BRL4ShjTyIF
MD5:	A7817732EDED62797B0C5E9DA109EDD7
SHA1:	E7E868E8A529CDD6BD32B4FA3711EFF0C9029DBB
SHA-256:	95969E3E0C1793E6177D5C5D20C9A667C9F28BB64907AD489682C41668EFC29D
SHA-512:	3664953E0E5C601E8D8123C0B9F3F43D727BF6F48F81A93FED051D6F0D275728CEDA92ECEF201E4CDCEAC29C17CE66B46820A43A6DAC9FD4B77B6D54F226DB01
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 27%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F.xd..............0..F...........e... ........@.. .......................`"...........@.................................<e..O.......,....................@".....\&..T............................................ ............... ..H............text....E... ...F.................. ..`.rsrc...,............H..............@..@.reloc.......@".......!.............@..B................pe......H........K..$...........$...8/...........................................0..)........{.........(....t......\|......(...+...3.....0..)........{.........(....t......\|......(...+...3....}......}.....(.......(......{....o....&.0..$........r...pr7..p.. (...........,..(......0............{....o....&.{.....o......{....( ...o!.....{....( ...o!.....{....( ...o!.....{....( ...o!.....{....( ...o!.....{....( ...o!.....{....( ...o!....*...0..-.........{....o".....,..{.....o.....+..{...

C:\Users\user\Documents\MSDCSC\msdcsc.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.68131929551722
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	A1DB2JVWGG.CNT.exe
File size:	2223104
MD5:	a7817732eded62797b0c5e9da109edd7
SHA1:	e7e868e8a529cdd6bd32b4fa3711eff0c9029dbb
SHA256:	95969e3e0c1793e6177d5c5d20c9a667c9f28bb64907ad489682c41668efc29d
SHA512:	3664953e0e5c601e8d8123c0b9f3f43d727bf6f48f81a93fed051d6f0d275728ceda92ecef201e4cdceac29c17ce66b46820a43a6dac9fd4b77b6d54f226db01
SSDEEP:	24576:tA74/4qimDN0nixgBQcZ+WtGsK0i+CqBRCJcbpaa4S7qeL7pjhlyIy6Vs6wGpYUa:tA74/t6FQcZ+WRs+BRL4ShjTyIF
TLSH:	FDA5D000DABBCDDCC4760E780034163116B79F62586FE3C8997579B9E8787C2A684E7B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F.xd..............0..F...........e... ........@.. .......................`"...........@................................

File Icon


Icon Hash:	cfc3ce4cccccc74f

Static PE Info

General

Entrypoint:	0x5b658e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6478F346 [Thu Jun 1 19:36:38 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1b653c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1b8000	0x6a02c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x224000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1b265c	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1b4594	0x1b4600	False	0.9364711266470925	data	7.897532048001292	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x1b8000	0x6a02c	0x6a200	False	0.2072359945524146	data	5.854806072192783	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x224000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x1b82b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024
RT_ICON	0x1b8718	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304
RT_ICON	0x1b90a0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096
RT_ICON	0x1ba148	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216
RT_ICON	0x1bc6f0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384
RT_ICON	0x1c0918	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 20736
RT_ICON	0x1c5da0	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864
RT_ICON	0x1cf248	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536
RT_ICON	0x1dfa70	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 262144
RT_GROUP_ICON	0x221a98	0x84	data
RT_VERSION	0x221b1c	0x324	data
RT_MANIFEST	0x221e40	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.35.252.165.23049702282892025019 06/02/23-02:26:44.385767	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49702	28289	192.168.2.3	5.252.165.230
5.252.165.230192.168.2.339399497042806577 06/02/23-02:27:01.218517	TCP	2806577	ETPRO TROJAN DarkComet-RAT init connection 2	39399	49704	5.252.165.230	192.168.2.3
192.168.2.35.252.165.23049711282892025019 06/02/23-02:27:54.203652	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49711	28289	192.168.2.3	5.252.165.230
192.168.2.35.252.165.23049713282892025019 06/02/23-02:28:03.961219	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49713	28289	192.168.2.3	5.252.165.230
192.168.2.35.252.165.23049705282892025019 06/02/23-02:27:16.433852	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49705	28289	192.168.2.3	5.252.165.230
192.168.2.35.252.165.23049712282892025019 06/02/23-02:27:59.459924	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49712	28289	192.168.2.3	5.252.165.230
192.168.2.35.252.165.23049716282892025019 06/02/23-02:28:22.359438	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49716	28289	192.168.2.3	5.252.165.230
192.168.2.35.252.165.23049706282892025019 06/02/23-02:27:24.140871	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49706	28289	192.168.2.3	5.252.165.230
192.168.2.35.252.165.23049708282892025019 06/02/23-02:27:35.526983	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49708	28289	192.168.2.3	5.252.165.230
192.168.2.35.252.165.23049707282892025019 06/02/23-02:27:28.447502	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49707	28289	192.168.2.3	5.252.165.230
192.168.2.35.252.165.23049713282892816718 06/02/23-02:28:05.016410	TCP	2816718	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon	49713	28289	192.168.2.3	5.252.165.230
192.168.2.35.252.165.23049702282892816718 06/02/23-02:26:45.935768	TCP	2816718	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon	49702	28289	192.168.2.3	5.252.165.230
192.168.2.35.252.165.23049710282892025019 06/02/23-02:27:47.888873	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49710	28289	192.168.2.3	5.252.165.230
192.168.2.35.252.165.23049708282892816766 06/02/23-02:27:36.099395	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49708	28289	192.168.2.3	5.252.165.230
192.168.2.35.252.165.23049707282892816766 06/02/23-02:27:29.300655	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49707	28289	192.168.2.3	5.252.165.230
192.168.2.35.252.165.23049709282892816766 06/02/23-02:27:43.508322	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49709	28289	192.168.2.3	5.252.165.230
192.168.2.35.252.165.23049706282892816766 06/02/23-02:27:24.211225	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49706	28289	192.168.2.3	5.252.165.230
192.168.2.35.252.165.23049716282892816766 06/02/23-02:28:25.005929	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49716	28289	192.168.2.3	5.252.165.230
192.168.2.35.252.165.23049709282892025019 06/02/23-02:27:41.004326	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49709	28289	192.168.2.3	5.252.165.230
192.168.2.35.252.165.23049704393992806578 06/02/23-02:27:01.218732	TCP	2806578	ETPRO TROJAN DarkComet-RAT server join acknowledgement 2	49704	39399	192.168.2.3	5.252.165.230
192.168.2.35.252.165.23049704393992807821 06/02/23-02:28:23.003919	TCP	2807821	ETPRO TROJAN DarkComet-RAT activity	49704	39399	192.168.2.3	5.252.165.230
192.168.2.35.252.165.23049710282892816766 06/02/23-02:27:48.244529	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49710	28289	192.168.2.3	5.252.165.230
192.168.2.35.252.165.23049711282892816766 06/02/23-02:27:54.312190	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49711	28289	192.168.2.3	5.252.165.230
5.252.165.230192.168.2.328289497142841753 06/02/23-02:28:11.405336	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	28289	49714	5.252.165.230	192.168.2.3
192.168.2.35.252.165.23049702282892816766 06/02/23-02:26:46.881522	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49702	28289	192.168.2.3	5.252.165.230
192.168.2.35.252.165.23049712282892816766 06/02/23-02:27:59.647498	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49712	28289	192.168.2.3	5.252.165.230
192.168.2.35.252.165.23049713282892816766 06/02/23-02:28:06.982149	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49713	28289	192.168.2.3	5.252.165.230
5.252.165.230192.168.2.328289497062810290 06/02/23-02:27:24.236176	TCP	2810290	ETPRO TROJAN NanoCore RAT Keepalive Response 1	28289	49706	5.252.165.230	192.168.2.3
5.252.165.230192.168.2.328289497032841753 06/02/23-02:27:02.943535	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	28289	49703	5.252.165.230	192.168.2.3
192.168.2.35.252.165.23049714282892816766 06/02/23-02:28:11.424790	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49714	28289	192.168.2.3	5.252.165.230
192.168.2.35.252.165.23049715282892816766 06/02/23-02:28:17.957593	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49715	28289	192.168.2.3	5.252.165.230
192.168.2.35.252.165.23049703282892816766 06/02/23-02:27:05.840215	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49703	28289	192.168.2.3	5.252.165.230
192.168.2.35.252.165.23049705282892816766 06/02/23-02:27:18.414247	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49705	28289	192.168.2.3	5.252.165.230
5.252.165.230192.168.2.328289497122841753 06/02/23-02:27:59.490400	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	28289	49712	5.252.165.230	192.168.2.3
5.252.165.230192.168.2.328289497102841753 06/02/23-02:27:47.915148	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	28289	49710	5.252.165.230	192.168.2.3
5.252.165.230192.168.2.328289497112841753 06/02/23-02:27:54.245563	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	28289	49711	5.252.165.230	192.168.2.3
5.252.165.230192.168.2.328289497062841753 06/02/23-02:27:24.193892	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	28289	49706	5.252.165.230	192.168.2.3
5.252.165.230192.168.2.328289497072841753 06/02/23-02:27:28.477912	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	28289	49707	5.252.165.230	192.168.2.3
5.252.165.230192.168.2.328289497082841753 06/02/23-02:27:35.555003	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	28289	49708	5.252.165.230	192.168.2.3
192.168.2.35.252.165.23049715282892025019 06/02/23-02:28:16.130201	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49715	28289	192.168.2.3	5.252.165.230
192.168.2.35.252.165.23049703282892025019 06/02/23-02:26:52.916534	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49703	28289	192.168.2.3	5.252.165.230
192.168.2.35.252.165.23049714282892025019 06/02/23-02:28:11.375206	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49714	28289	192.168.2.3	5.252.165.230

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 2, 2023 02:26:44.151659012 CEST	49702	28289	192.168.2.3	5.252.165.230
Jun 2, 2023 02:26:44.176666975 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.176943064 CEST	49702	28289	192.168.2.3	5.252.165.230
Jun 2, 2023 02:26:44.385766983 CEST	49702	28289	192.168.2.3	5.252.165.230
Jun 2, 2023 02:26:44.461059093 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.461219072 CEST	49702	28289	192.168.2.3	5.252.165.230
Jun 2, 2023 02:26:44.531969070 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.532335043 CEST	49702	28289	192.168.2.3	5.252.165.230
Jun 2, 2023 02:26:44.558764935 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.572933912 CEST	49702	28289	192.168.2.3	5.252.165.230
Jun 2, 2023 02:26:44.648416996 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.648534060 CEST	49702	28289	192.168.2.3	5.252.165.230
Jun 2, 2023 02:26:44.719214916 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.719274998 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.719321966 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.719372988 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.719436884 CEST	49702	28289	192.168.2.3	5.252.165.230
Jun 2, 2023 02:26:44.719438076 CEST	49702	28289	192.168.2.3	5.252.165.230
Jun 2, 2023 02:26:44.724944115 CEST	49702	28289	192.168.2.3	5.252.165.230
Jun 2, 2023 02:26:44.744440079 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.744507074 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.744559050 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.744612932 CEST	49702	28289	192.168.2.3	5.252.165.230
Jun 2, 2023 02:26:44.744642973 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.744677067 CEST	49702	28289	192.168.2.3	5.252.165.230
Jun 2, 2023 02:26:44.744725943 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.744774103 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.744795084 CEST	49702	28289	192.168.2.3	5.252.165.230
Jun 2, 2023 02:26:44.744831085 CEST	49702	28289	192.168.2.3	5.252.165.230
Jun 2, 2023 02:26:44.744859934 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.744911909 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.744962931 CEST	49702	28289	192.168.2.3	5.252.165.230
Jun 2, 2023 02:26:44.769788980 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.769835949 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.769870043 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.769901991 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.769927025 CEST	49702	28289	192.168.2.3	5.252.165.230
Jun 2, 2023 02:26:44.769962072 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.769975901 CEST	49702	28289	192.168.2.3	5.252.165.230
Jun 2, 2023 02:26:44.770009041 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.770039082 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.770071030 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.770088911 CEST	49702	28289	192.168.2.3	5.252.165.230
Jun 2, 2023 02:26:44.770116091 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.770131111 CEST	49702	28289	192.168.2.3	5.252.165.230
Jun 2, 2023 02:26:44.770160913 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.770190954 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.770222902 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.770237923 CEST	49702	28289	192.168.2.3	5.252.165.230
Jun 2, 2023 02:26:44.770268917 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.770301104 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.770313978 CEST	49702	28289	192.168.2.3	5.252.165.230
Jun 2, 2023 02:26:44.770344019 CEST	49702	28289	192.168.2.3	5.252.165.230
Jun 2, 2023 02:26:44.770356894 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.770387888 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.770431042 CEST	49702	28289	192.168.2.3	5.252.165.230
Jun 2, 2023 02:26:44.795751095 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.795823097 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.795876980 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.795927048 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.795958042 CEST	49702	28289	192.168.2.3	5.252.165.230
Jun 2, 2023 02:26:44.795983076 CEST	49702	28289	192.168.2.3	5.252.165.230
Jun 2, 2023 02:26:44.796030998 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.796077967 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.796125889 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.796173096 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.796192884 CEST	49702	28289	192.168.2.3	5.252.165.230
Jun 2, 2023 02:26:44.796240091 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.796293020 CEST	49702	28289	192.168.2.3	5.252.165.230
Jun 2, 2023 02:26:44.796338081 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.796387911 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.796437979 CEST	49702	28289	192.168.2.3	5.252.165.230
Jun 2, 2023 02:26:44.796461105 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.796509027 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.796560049 CEST	49702	28289	192.168.2.3	5.252.165.230
Jun 2, 2023 02:26:44.796577930 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.796622992 CEST	49702	28289	192.168.2.3	5.252.165.230
Jun 2, 2023 02:26:44.796643972 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.796694040 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.796741962 CEST	49702	28289	192.168.2.3	5.252.165.230
Jun 2, 2023 02:26:44.796760082 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.796808004 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.796852112 CEST	49702	28289	192.168.2.3	5.252.165.230
Jun 2, 2023 02:26:44.796874046 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.796926022 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.796972036 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.797019005 CEST	49702	28289	192.168.2.3	5.252.165.230
Jun 2, 2023 02:26:44.797039032 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.797086000 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.797133923 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.797152996 CEST	49702	28289	192.168.2.3	5.252.165.230
Jun 2, 2023 02:26:44.797183037 CEST	49702	28289	192.168.2.3	5.252.165.230
Jun 2, 2023 02:26:44.797218084 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.797266006 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.797318935 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.797332048 CEST	49702	28289	192.168.2.3	5.252.165.230
Jun 2, 2023 02:26:44.797379017 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.797429085 CEST	49702	28289	192.168.2.3	5.252.165.230
Jun 2, 2023 02:26:44.797446012 CEST	28289	49702	5.252.165.230	192.168.2.3
Jun 2, 2023 02:26:44.797494888 CEST	28289	49702	5.252.165.230	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 2, 2023 02:26:44.097316027 CEST	52387	53	192.168.2.3	8.8.8.8
Jun 2, 2023 02:26:44.140640974 CEST	53	52387	8.8.8.8	192.168.2.3
Jun 2, 2023 02:26:52.799304008 CEST	56924	53	192.168.2.3	8.8.8.8
Jun 2, 2023 02:26:52.834667921 CEST	53	56924	8.8.8.8	192.168.2.3
Jun 2, 2023 02:27:01.122903109 CEST	60625	53	192.168.2.3	8.8.8.8
Jun 2, 2023 02:27:01.157489061 CEST	53	60625	8.8.8.8	192.168.2.3
Jun 2, 2023 02:27:13.448749065 CEST	49302	53	192.168.2.3	8.8.8.8
Jun 2, 2023 02:27:13.469129086 CEST	53	49302	8.8.8.8	192.168.2.3
Jun 2, 2023 02:27:24.085566044 CEST	53975	53	192.168.2.3	8.8.8.8
Jun 2, 2023 02:27:24.114435911 CEST	53	53975	8.8.8.8	192.168.2.3
Jun 2, 2023 02:27:28.394402027 CEST	51139	53	192.168.2.3	8.8.8.8
Jun 2, 2023 02:27:28.415224075 CEST	53	51139	8.8.8.8	192.168.2.3
Jun 2, 2023 02:27:35.480336905 CEST	52955	53	192.168.2.3	8.8.8.8
Jun 2, 2023 02:27:35.500720978 CEST	53	52955	8.8.8.8	192.168.2.3
Jun 2, 2023 02:27:40.942588091 CEST	60582	53	192.168.2.3	8.8.8.8
Jun 2, 2023 02:27:40.977518082 CEST	53	60582	8.8.8.8	192.168.2.3
Jun 2, 2023 02:27:47.830245018 CEST	57134	53	192.168.2.3	8.8.8.8
Jun 2, 2023 02:27:47.858867884 CEST	53	57134	8.8.8.8	192.168.2.3
Jun 2, 2023 02:27:54.156784058 CEST	62050	53	192.168.2.3	8.8.8.8
Jun 2, 2023 02:27:54.177257061 CEST	53	62050	8.8.8.8	192.168.2.3
Jun 2, 2023 02:27:59.039582968 CEST	56042	53	192.168.2.3	8.8.8.8
Jun 2, 2023 02:27:59.075484037 CEST	53	56042	8.8.8.8	192.168.2.3
Jun 2, 2023 02:28:03.900932074 CEST	59636	53	192.168.2.3	8.8.8.8
Jun 2, 2023 02:28:03.929716110 CEST	53	59636	8.8.8.8	192.168.2.3
Jun 2, 2023 02:28:11.316447020 CEST	55638	53	192.168.2.3	8.8.8.8
Jun 2, 2023 02:28:11.342737913 CEST	53	55638	8.8.8.8	192.168.2.3
Jun 2, 2023 02:28:16.073724031 CEST	57704	53	192.168.2.3	8.8.8.8
Jun 2, 2023 02:28:16.102108955 CEST	53	57704	8.8.8.8	192.168.2.3
Jun 2, 2023 02:28:22.290910006 CEST	65320	53	192.168.2.3	8.8.8.8
Jun 2, 2023 02:28:22.325861931 CEST	53	65320	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 2, 2023 02:26:44.097316027 CEST	192.168.2.3	8.8.8.8	0xa280	Standard query (0)	timmy08.ddns.net	A (IP address)	IN (0x0001)	false
Jun 2, 2023 02:26:52.799304008 CEST	192.168.2.3	8.8.8.8	0x2563	Standard query (0)	timmy08.ddns.net	A (IP address)	IN (0x0001)	false
Jun 2, 2023 02:27:01.122903109 CEST	192.168.2.3	8.8.8.8	0x3b25	Standard query (0)	timmy08.ddns.net	A (IP address)	IN (0x0001)	false
Jun 2, 2023 02:27:13.448749065 CEST	192.168.2.3	8.8.8.8	0x72f6	Standard query (0)	timmy08.ddns.net	A (IP address)	IN (0x0001)	false
Jun 2, 2023 02:27:24.085566044 CEST	192.168.2.3	8.8.8.8	0x5786	Standard query (0)	timmy08.ddns.net	A (IP address)	IN (0x0001)	false
Jun 2, 2023 02:27:28.394402027 CEST	192.168.2.3	8.8.8.8	0x5f2c	Standard query (0)	timmy08.ddns.net	A (IP address)	IN (0x0001)	false
Jun 2, 2023 02:27:35.480336905 CEST	192.168.2.3	8.8.8.8	0xfe7f	Standard query (0)	timmy08.ddns.net	A (IP address)	IN (0x0001)	false
Jun 2, 2023 02:27:40.942588091 CEST	192.168.2.3	8.8.8.8	0x25e1	Standard query (0)	timmy08.ddns.net	A (IP address)	IN (0x0001)	false
Jun 2, 2023 02:27:47.830245018 CEST	192.168.2.3	8.8.8.8	0x554	Standard query (0)	timmy08.ddns.net	A (IP address)	IN (0x0001)	false
Jun 2, 2023 02:27:54.156784058 CEST	192.168.2.3	8.8.8.8	0x7d9a	Standard query (0)	timmy08.ddns.net	A (IP address)	IN (0x0001)	false
Jun 2, 2023 02:27:59.039582968 CEST	192.168.2.3	8.8.8.8	0x1fe3	Standard query (0)	timmy08.ddns.net	A (IP address)	IN (0x0001)	false
Jun 2, 2023 02:28:03.900932074 CEST	192.168.2.3	8.8.8.8	0x9445	Standard query (0)	timmy08.ddns.net	A (IP address)	IN (0x0001)	false
Jun 2, 2023 02:28:11.316447020 CEST	192.168.2.3	8.8.8.8	0xae54	Standard query (0)	timmy08.ddns.net	A (IP address)	IN (0x0001)	false
Jun 2, 2023 02:28:16.073724031 CEST	192.168.2.3	8.8.8.8	0x33e2	Standard query (0)	timmy08.ddns.net	A (IP address)	IN (0x0001)	false
Jun 2, 2023 02:28:22.290910006 CEST	192.168.2.3	8.8.8.8	0xd8e	Standard query (0)	timmy08.ddns.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jun 2, 2023 02:26:44.140640974 CEST	8.8.8.8	192.168.2.3	0xa280	No error (0)	timmy08.ddns.net	5.252.165.230	A (IP address)	IN (0x0001)	false
Jun 2, 2023 02:26:52.834667921 CEST	8.8.8.8	192.168.2.3	0x2563	No error (0)	timmy08.ddns.net	5.252.165.230	A (IP address)	IN (0x0001)	false
Jun 2, 2023 02:27:01.157489061 CEST	8.8.8.8	192.168.2.3	0x3b25	No error (0)	timmy08.ddns.net	5.252.165.230	A (IP address)	IN (0x0001)	false
Jun 2, 2023 02:27:13.469129086 CEST	8.8.8.8	192.168.2.3	0x72f6	No error (0)	timmy08.ddns.net	5.252.165.230	A (IP address)	IN (0x0001)	false
Jun 2, 2023 02:27:24.114435911 CEST	8.8.8.8	192.168.2.3	0x5786	No error (0)	timmy08.ddns.net	5.252.165.230	A (IP address)	IN (0x0001)	false
Jun 2, 2023 02:27:28.415224075 CEST	8.8.8.8	192.168.2.3	0x5f2c	No error (0)	timmy08.ddns.net	5.252.165.230	A (IP address)	IN (0x0001)	false
Jun 2, 2023 02:27:35.500720978 CEST	8.8.8.8	192.168.2.3	0xfe7f	No error (0)	timmy08.ddns.net	5.252.165.230	A (IP address)	IN (0x0001)	false
Jun 2, 2023 02:27:40.977518082 CEST	8.8.8.8	192.168.2.3	0x25e1	No error (0)	timmy08.ddns.net	5.252.165.230	A (IP address)	IN (0x0001)	false
Jun 2, 2023 02:27:47.858867884 CEST	8.8.8.8	192.168.2.3	0x554	No error (0)	timmy08.ddns.net	5.252.165.230	A (IP address)	IN (0x0001)	false
Jun 2, 2023 02:27:54.177257061 CEST	8.8.8.8	192.168.2.3	0x7d9a	No error (0)	timmy08.ddns.net	5.252.165.230	A (IP address)	IN (0x0001)	false
Jun 2, 2023 02:27:59.075484037 CEST	8.8.8.8	192.168.2.3	0x1fe3	No error (0)	timmy08.ddns.net	5.252.165.230	A (IP address)	IN (0x0001)	false
Jun 2, 2023 02:28:03.929716110 CEST	8.8.8.8	192.168.2.3	0x9445	No error (0)	timmy08.ddns.net	5.252.165.230	A (IP address)	IN (0x0001)	false
Jun 2, 2023 02:28:11.342737913 CEST	8.8.8.8	192.168.2.3	0xae54	No error (0)	timmy08.ddns.net	5.252.165.230	A (IP address)	IN (0x0001)	false
Jun 2, 2023 02:28:16.102108955 CEST	8.8.8.8	192.168.2.3	0x33e2	No error (0)	timmy08.ddns.net	5.252.165.230	A (IP address)	IN (0x0001)	false
Jun 2, 2023 02:28:22.325861931 CEST	8.8.8.8	192.168.2.3	0xd8e	No error (0)	timmy08.ddns.net	5.252.165.230	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	02:26:22
Start date:	02/06/2023
Path:	C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe
Imagebase:	0x970000
File size:	2223104 bytes
MD5 hash:	A7817732EDED62797B0C5E9DA109EDD7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: RAT_DarkComet, Description: Detects DarkComet RAT, Source: 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_DarkCometRat, Description: Yara detected DarkComet, Source: 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: DarkComet_1, Description: DarkComet RAT, Source: 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, Author: botherder https://github.com/botherder Rule: DarkComet_3, Description: unknown, Source: 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: DarkComet_4, Description: unknown, Source: 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Darkcomet_1df27bcc, Description: unknown, Source: 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.399195409.0000000004886000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.392562881.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: RAT_DarkComet, Description: Detects DarkComet RAT, Source: 00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_DarkCometRat, Description: Yara detected DarkComet, Source: 00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: DarkComet_1, Description: DarkComet RAT, Source: 00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp, Author: botherder https://github.com/botherder Rule: DarkComet_3, Description: unknown, Source: 00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: DarkComet_4, Description: unknown, Source: 00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Darkcomet_1df27bcc, Description: unknown, Source: 00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000000.00000002.399195409.0000000004105000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Analysis Process: powershell.exePID: 7544, Parent PID: 7460

General

Target ID:	1
Start time:	02:26:30
Start date:	02/06/2023
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe
Imagebase:	0xd60000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: conhost.exePID: 7552, Parent PID: 7544

General

Target ID:	2
Start time:	02:26:30
Start date:	02/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: powershell.exePID: 7640, Parent PID: 7460

General

Target ID:	3
Start time:	02:26:31
Start date:	02/06/2023
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JXayEzy.exe
Imagebase:	0xd60000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: schtasks.exePID: 7660, Parent PID: 7460

General

Target ID:	4
Start time:	02:26:31
Start date:	02/06/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXayEzy" /XML "C:\Users\user\AppData\Local\Temp\tmp12D0.tmp
Imagebase:	0x1f0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 7668, Parent PID: 7640

General

Target ID:	5
Start time:	02:26:31
Start date:	02/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 7688, Parent PID: 7660

General

Target ID:	6
Start time:	02:26:31
Start date:	02/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: JXayEzy.exePID: 7808, Parent PID: 1080

General

Target ID:	7
Start time:	02:26:32
Start date:	02/06/2023
Path:	C:\Users\user\AppData\Roaming\JXayEzy.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\JXayEzy.exe
Imagebase:	0x9d0000
File size:	2223104 bytes
MD5 hash:	A7817732EDED62797B0C5E9DA109EDD7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 27%, ReversingLabs
Reputation:	low

Analysis Process: A1DB2JVWGG.CNT.exePID: 7852, Parent PID: 7460

General

Target ID:	8
Start time:	02:26:34
Start date:	02/06/2023
Path:	C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe
Imagebase:	0x3e0000
File size:	2223104 bytes
MD5 hash:	A7817732EDED62797B0C5E9DA109EDD7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: A1DB2JVWGG.CNT.exePID: 7908, Parent PID: 7460

General

Target ID:	10
Start time:	02:26:35
Start date:	02/06/2023
Path:	C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe
Imagebase:	0x160000
File size:	2223104 bytes
MD5 hash:	A7817732EDED62797B0C5E9DA109EDD7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: A1DB2JVWGG.CNT.exePID: 7936, Parent PID: 7460

General

Target ID:	11
Start time:	02:26:35
Start date:	02/06/2023
Path:	C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe
Imagebase:	0x4c0000
File size:	2223104 bytes
MD5 hash:	A7817732EDED62797B0C5E9DA109EDD7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: A1DB2JVWGG.CNT.exePID: 7948, Parent PID: 7460

General

Target ID:	12
Start time:	02:26:35
Start date:	02/06/2023
Path:	C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe
Imagebase:	0xce0000
File size:	2223104 bytes
MD5 hash:	A7817732EDED62797B0C5E9DA109EDD7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: DarkComet_2, Description: DarkComet, Source: 0000000C.00000002.400104178.0000000003096000.00000004.00001000.00020000.00000000.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: Malware_QA_update, Description: VT Research QA uploaded malware - file update.exe, Source: 0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: RAT_DarkComet, Description: Detects DarkComet RAT, Source: 0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_DarkCometRat, Description: Yara detected DarkComet, Source: 0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_DarkComet, Description: Detects DarkComet, Source: 0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: DarkComet_1, Description: DarkComet RAT, Source: 0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: botherder https://github.com/botherder Rule: DarkComet_3, Description: unknown, Source: 0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: DarkComet_4, Description: unknown, Source: 0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Darkcomet_1df27bcc, Description: unknown, Source: 0000000C.00000002.397292430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: DarkComet_2, Description: DarkComet, Source: 0000000C.00000002.400104178.000000000306C000.00000004.00001000.00020000.00000000.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000C.00000002.397292430.000000000049D000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: DarkComet_2, Description: DarkComet, Source: 0000000C.00000002.400104178.00000000030BA000.00000004.00001000.00020000.00000000.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.397292430.00000000004A4000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.397292430.00000000004A4000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.397292430.00000000004A4000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000000C.00000002.397292430.00000000004A4000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: DarkComet_2, Description: DarkComet, Source: 0000000C.00000002.400104178.00000000030C1000.00000004.00001000.00020000.00000000.sdmp, Author: Jean-Philippe Teissier / @Jipe_
Reputation:	low

Analysis Process: cmd.exePID: 8032, Parent PID: 7948

General

Target ID:	13
Start time:	02:26:36
Start date:	02/06/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe" +s +h
Imagebase:	0xb0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exePID: 8040, Parent PID: 7948

General

Target ID:	14
Start time:	02:26:37
Start date:	02/06/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\user\Desktop" +s +h
Imagebase:	0xb0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 8048, Parent PID: 8032

General

Target ID:	15
Start time:	02:26:37
Start date:	02/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 8064, Parent PID: 8040

General

Target ID:	16
Start time:	02:26:37
Start date:	02/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: attrib.exePID: 8096, Parent PID: 8032

General

Target ID:	17
Start time:	02:26:38
Start date:	02/06/2023
Path:	C:\Windows\SysWOW64\attrib.exe
Wow64 process (32bit):	true
Commandline:	attrib "C:\Users\user\Desktop\A1DB2JVWGG.CNT.exe" +s +h
Imagebase:	0x1220000
File size:	19456 bytes
MD5 hash:	A5540E9F87D4CB083BDF8269DEC1CFF9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: attrib.exePID: 8152, Parent PID: 8040

General

Target ID:	18
Start time:	02:26:38
Start date:	02/06/2023
Path:	C:\Windows\SysWOW64\attrib.exe
Wow64 process (32bit):	true
Commandline:	attrib "C:\Users\user\Desktop" +s +h
Imagebase:	0x1220000
File size:	19456 bytes
MD5 hash:	A5540E9F87D4CB083BDF8269DEC1CFF9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: JUNE STUB.EXEPID: 8176, Parent PID: 7948

General

Target ID:	19
Start time:	02:26:38
Start date:	02/06/2023
Path:	C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE"
Imagebase:	0xcc0000
File size:	207360 bytes
MD5 hash:	4D9AC7D6E684CD3874B662971B6BC536
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.639756642.0000000006C60000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000013.00000002.639756642.0000000006C60000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000013.00000002.639756642.0000000006C60000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000013.00000002.639756642.0000000006C60000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.640582585.0000000006CE0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000013.00000002.640582585.0000000006CE0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000013.00000002.640582585.0000000006CE0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000013.00000002.640582585.0000000006CE0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.640822750.0000000006D00000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000013.00000002.640822750.0000000006D00000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000013.00000002.640822750.0000000006D00000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000013.00000002.640822750.0000000006D00000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.639572623.0000000006C40000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000013.00000002.639572623.0000000006C40000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000013.00000002.639572623.0000000006C40000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000013.00000002.639572623.0000000006C40000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.639327601.0000000006C10000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000013.00000002.639327601.0000000006C10000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000013.00000002.639327601.0000000006C10000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000013.00000002.639327601.0000000006C10000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.640048341.0000000006C80000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000013.00000002.640048341.0000000006C80000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000013.00000002.640048341.0000000006C80000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000013.00000002.640048341.0000000006C80000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: NanoCore, Description: unknown, Source: 00000013.00000002.625066874.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000013.00000002.625066874.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000000.391419117.0000000000CC2000.00000002.00000001.01000000.0000000A.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000000.391419117.0000000000CC2000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000013.00000000.391419117.0000000000CC2000.00000002.00000001.01000000.0000000A.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000013.00000000.391419117.0000000000CC2000.00000002.00000001.01000000.0000000A.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.640453706.0000000006CD0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000013.00000002.640453706.0000000006CD0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000013.00000002.640453706.0000000006CD0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000013.00000002.640453706.0000000006CD0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.639417055.0000000006C20000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000013.00000002.639417055.0000000006C20000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000013.00000002.639417055.0000000006C20000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000013.00000002.639417055.0000000006C20000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.640195396.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000013.00000002.640195396.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000013.00000002.640195396.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000013.00000002.640195396.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.640312728.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000013.00000002.640312728.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000013.00000002.640312728.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000013.00000002.640312728.0000000006CB0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.640130436.0000000006C90000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000013.00000002.640130436.0000000006C90000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000013.00000002.640130436.0000000006C90000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000013.00000002.640130436.0000000006C90000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.637176007.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000013.00000002.637176007.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.637176007.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000013.00000002.637176007.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000013.00000002.637176007.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000013.00000002.631531483.0000000004515000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.641220331.0000000006D30000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000013.00000002.641220331.0000000006D30000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000013.00000002.641220331.0000000006D30000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000013.00000002.641220331.0000000006D30000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000013.00000002.631531483.000000000441F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.636982367.0000000005A80000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000013.00000002.636982367.0000000005A80000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000013.00000002.636982367.0000000005A80000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000013.00000002.636982367.0000000005A80000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000013.00000002.625066874.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE, Author: Joe Security Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE, Author: ditekSHen Rule: NanoCore, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML

Analysis Process: notepad.exePID: 7292, Parent PID: 7948

General

Target ID:	20
Start time:	02:26:40
Start date:	02/06/2023
Path:	C:\Windows\SysWOW64\notepad.exe
Wow64 process (32bit):	true
Commandline:	notepad
Imagebase:	0xdd0000
File size:	236032 bytes
MD5 hash:	D693F13FE3AA2010B854C4C60671B8E2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: msdcsc.exePID: 5860, Parent PID: 7948

General

Target ID:	21
Start time:	02:26:41
Start date:	02/06/2023
Path:	C:\Users\user\Documents\MSDCSC\msdcsc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Documents\MSDCSC\msdcsc.exe"
Imagebase:	0x940000
File size:	2223104 bytes
MD5 hash:	A7817732EDED62797B0C5E9DA109EDD7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000002.470317430.0000000004126000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.470317430.0000000004126000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000015.00000002.470317430.0000000004126000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000015.00000002.470317430.0000000004126000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000015.00000002.442690195.000000000319D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: RAT_DarkComet, Description: Detects DarkComet RAT, Source: 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_DarkCometRat, Description: Yara detected DarkComet, Source: 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: DarkComet_1, Description: DarkComet RAT, Source: 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp, Author: botherder https://github.com/botherder Rule: DarkComet_3, Description: unknown, Source: 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: DarkComet_4, Description: unknown, Source: 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Darkcomet_1df27bcc, Description: unknown, Source: 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000015.00000002.470317430.0000000004AAC000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 27%, ReversingLabs

Analysis Process: msdcsc.exePID: 7264, Parent PID: 3452

General

Target ID:	22
Start time:	02:26:47
Start date:	02/06/2023
Path:	C:\Users\user\Documents\MSDCSC\msdcsc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Documents\MSDCSC\msdcsc.exe"
Imagebase:	0xd80000
File size:	2223104 bytes
MD5 hash:	A7817732EDED62797B0C5E9DA109EDD7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000016.00000002.475372371.00000000033B7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000016.00000002.486347814.0000000005049000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000016.00000002.486347814.0000000005049000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000016.00000002.486347814.0000000005049000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000016.00000002.486347814.0000000005049000.00000004.00000800.00020000.00000000.sdmp, Author: unknown

Analysis Process: powershell.exePID: 2680, Parent PID: 5860

General

Target ID:	23
Start time:	02:26:49
Start date:	02/06/2023
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Documents\MSDCSC\msdcsc.exe
Imagebase:	0xd60000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: conhost.exePID: 4404, Parent PID: 2680

General

Target ID:	24
Start time:	02:26:49
Start date:	02/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: powershell.exePID: 7672, Parent PID: 5860

General

Target ID:	25
Start time:	02:26:49
Start date:	02/06/2023
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JXayEzy.exe
Imagebase:	0xd60000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: conhost.exePID: 7732, Parent PID: 7672

General

Target ID:	26
Start time:	02:26:49
Start date:	02/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: schtasks.exePID: 7688, Parent PID: 5860

General

Target ID:	27
Start time:	02:26:49
Start date:	02/06/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXayEzy" /XML "C:\Users\user\AppData\Local\Temp\tmp5A49.tmp
Imagebase:	0x1f0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 2100, Parent PID: 7688

General

Target ID:	28
Start time:	02:26:49
Start date:	02/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: msdcsc.exePID: 6284, Parent PID: 5860

General

Target ID:	31
Start time:	02:26:55
Start date:	02/06/2023
Path:	C:\Users\user\Documents\MSDCSC\msdcsc.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Documents\MSDCSC\msdcsc.exe
Imagebase:	0x100000
File size:	2223104 bytes
MD5 hash:	A7817732EDED62797B0C5E9DA109EDD7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: msdcsc.exePID: 6288, Parent PID: 5860

General

Target ID:	32
Start time:	02:26:55
Start date:	02/06/2023
Path:	C:\Users\user\Documents\MSDCSC\msdcsc.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Documents\MSDCSC\msdcsc.exe
Imagebase:	0x800000
File size:	2223104 bytes
MD5 hash:	A7817732EDED62797B0C5E9DA109EDD7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: DarkComet_2, Description: DarkComet, Source: 00000020.00000002.622990283.0000000002C81000.00000004.00001000.00020000.00000000.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: DarkComet_2, Description: DarkComet, Source: 00000020.00000002.622990283.0000000002C2C000.00000004.00001000.00020000.00000000.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: DarkComet_2, Description: DarkComet, Source: 00000020.00000002.622990283.0000000002C7A000.00000004.00001000.00020000.00000000.sdmp, Author: Jean-Philippe Teissier / @Jipe_

Analysis Process: dhcpmon.exePID: 6384, Parent PID: 3452

General

Target ID:	33
Start time:	02:26:57
Start date:	02/06/2023
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Imagebase:	0x1f0000
File size:	207360 bytes
MD5 hash:	4D9AC7D6E684CD3874B662971B6BC536
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000021.00000002.456486839.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000021.00000002.456486839.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000021.00000002.456486839.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000021.00000002.454672045.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000021.00000002.454672045.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000021.00000002.454672045.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth (Nextron Systems) Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth (Nextron Systems) Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Joe Security Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: ditekSHen Rule: NanoCore, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML

Analysis Process: JUNE STUB.EXEPID: 8152, Parent PID: 6288

General

Target ID:	34
Start time:	02:26:59
Start date:	02/06/2023
Path:	C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\JUNE STUB.EXE"
Imagebase:	0x7f0000
File size:	207360 bytes
MD5 hash:	4D9AC7D6E684CD3874B662971B6BC536
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000022.00000002.459239135.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000022.00000002.459239135.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000022.00000002.459239135.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown

Analysis Process: notepad.exePID: 1340, Parent PID: 6288

General

Target ID:	35
Start time:	02:26:59
Start date:	02/06/2023
Path:	C:\Windows\SysWOW64\notepad.exe
Wow64 process (32bit):	true
Commandline:	notepad
Imagebase:	0xdd0000
File size:	236032 bytes
MD5 hash:	D693F13FE3AA2010B854C4C60671B8E2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: msdcsc.exePID: 7432, Parent PID: 3452

General

Target ID:	36
Start time:	02:27:06
Start date:	02/06/2023
Path:	C:\Users\user\Documents\MSDCSC\msdcsc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Documents\MSDCSC\msdcsc.exe"
Imagebase:	0xb60000
File size:	2223104 bytes
MD5 hash:	A7817732EDED62797B0C5E9DA109EDD7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET

Analysis Process: schtasks.exePID: 7804, Parent PID: 7264

General

Target ID:	37
Start time:	02:27:07
Start date:	02/06/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXayEzy" /XML "C:\Users\user\AppData\Local\Temp\tmp9C72.tmp
Imagebase:	0x1f0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 7772, Parent PID: 7804

General

Target ID:	38
Start time:	02:27:07
Start date:	02/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: msdcsc.exePID: 5840, Parent PID: 7264

General

Target ID:	39
Start time:	02:27:11
Start date:	02/06/2023
Path:	C:\Users\user\Documents\MSDCSC\msdcsc.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Documents\MSDCSC\msdcsc.exe
Imagebase:	0x900000
File size:	2223104 bytes
MD5 hash:	A7817732EDED62797B0C5E9DA109EDD7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Yara matches:	Rule: DarkComet_2, Description: DarkComet, Source: 00000027.00000002.468665185.0000000002E81000.00000004.00001000.00020000.00000000.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: DarkComet_2, Description: DarkComet, Source: 00000027.00000002.468665185.0000000002E7A000.00000004.00001000.00020000.00000000.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: DarkComet_2, Description: DarkComet, Source: 00000027.00000002.468665185.0000000002E56000.00000004.00001000.00020000.00000000.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: DarkComet_2, Description: DarkComet, Source: 00000027.00000002.468665185.0000000002E2C000.00000004.00001000.00020000.00000000.sdmp, Author: Jean-Philippe Teissier / @Jipe_

Analysis Process: schtasks.exePID: 7612, Parent PID: 7432

General

Target ID:	40
Start time:	02:27:26
Start date:	02/06/2023
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JXayEzy" /XML "C:\Users\user\AppData\Local\Temp\tmpE34F.tmp
Imagebase:	0x1f0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 5304, Parent PID: 7612

General

Target ID:	41
Start time:	02:27:26
Start date:	02/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: msdcsc.exePID: 5100, Parent PID: 7432

General

Target ID:	42
Start time:	02:27:28
Start date:	02/06/2023
Path:	C:\Users\user\Documents\MSDCSC\msdcsc.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Documents\MSDCSC\msdcsc.exe
Imagebase:	0x100000
File size:	2223104 bytes
MD5 hash:	A7817732EDED62797B0C5E9DA109EDD7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: msdcsc.exePID: 5236, Parent PID: 7432

General

Target ID:	43
Start time:	02:27:30
Start date:	02/06/2023
Path:	C:\Users\user\Documents\MSDCSC\msdcsc.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Documents\MSDCSC\msdcsc.exe
Imagebase:	0x640000
File size:	2223104 bytes
MD5 hash:	A7817732EDED62797B0C5E9DA109EDD7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Yara matches:	Rule: DarkComet_2, Description: DarkComet, Source: 0000002B.00000002.507022400.0000000002ACA000.00000004.00001000.00020000.00000000.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: DarkComet_2, Description: DarkComet, Source: 0000002B.00000002.507022400.0000000002AA6000.00000004.00001000.00020000.00000000.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: DarkComet_2, Description: DarkComet, Source: 0000002B.00000002.507022400.0000000002A7C000.00000004.00001000.00020000.00000000.sdmp, Author: Jean-Philippe Teissier / @Jipe_ Rule: DarkComet_2, Description: DarkComet, Source: 0000002B.00000002.507022400.0000000002AD1000.00000004.00001000.00020000.00000000.sdmp, Author: Jean-Philippe Teissier / @Jipe_

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report A1DB2JVWGG.CNT.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DarkComet

Threatname: NanoCore

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

AV Detection

E-Banking Fraud

Persistence and Installation Behavior

Stealing of Sensitive Information

Remote Access Functionality

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\JUNE STUB.EXE.log

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log

Windows Analysis Report
A1DB2JVWGG.CNT.exe

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre