Loading ...

Play interactive tourEdit tour

Analysis Report #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe

Overview

General Information

Sample Name:#U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe
Analysis ID:288062
MD5:1cf81ecb60092d5630fe9000420d3245
SHA1:55c053e4822a81ba75ba9f1d19763d7840851265
SHA256:b05bbc1ec002c006b0df222fa5d97881cc892a8b2a107a92f0ed5956520f0674

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
Disables Windows Defender (via service or powershell)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe (PID: 6764 cmdline: 'C:\Users\user\Desktop\#U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe' MD5: 1CF81ECB60092D5630FE9000420D3245)
    • powershell.exe (PID: 1988 cmdline: 'powershell' Get-MpPreference -verbose MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 7000 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -DisableArchiveScanning $true MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 7028 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -DisableBlockAtFirstSeen $true MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 7100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 7120 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -DisableIOAVProtection $true MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 7096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 7104 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -DisablePrivacyMode $true MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4580 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -DisableRealtimeMonitoring $true MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5152 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -DisableScriptScanning $true MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6176 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -HighThreatDefaultAction 6 -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6748 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -LowThreatDefaultAction 6 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6840 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -MAPSReporting 0 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4736 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -ModerateThreatDefaultAction 6 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6272 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -SevereThreatDefaultAction 6 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6116 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6884 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Set-MpPreference -SubmitSamplesConsent 2 MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6612 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HzzWxAPgBBRCvn' /XML 'C:\Users\user\AppData\Local\Temp\tmpB13C.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 7788 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe MD5: 71369277D09DA0830C8C59F9E22BB23A)
      • schtasks.exe (PID: 1208 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpF71F.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 7472 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp43F.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000024.00000002.642664538.0000000005540000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xe75:$x1: NanoCore.ClientPluginHost
  • 0xe8f:$x2: IClientNetworkHost
00000024.00000002.642664538.0000000005540000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xe75:$x2: NanoCore.ClientPluginHost
  • 0x1261:$s3: PipeExists
  • 0x1136:$s4: PipeCreated
  • 0xeb0:$s5: IClientLoggingHost
00000024.00000002.642705112.00000000057D0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xf7ad:$x1: NanoCore.ClientPluginHost
  • 0xf7da:$x2: IClientNetworkHost
00000024.00000002.642705112.00000000057D0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xf7ad:$x2: NanoCore.ClientPluginHost
  • 0x10888:$s4: PipeCreated
  • 0xf7c7:$s5: IClientLoggingHost
00000024.00000002.642705112.00000000057D0000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    Click to see the 39 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    36.2.RegSvcs.exe.61f0000.7.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x6da5:$x1: NanoCore.ClientPluginHost
    • 0x6dd2:$x2: IClientNetworkHost
    36.2.RegSvcs.exe.61f0000.7.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x6da5:$x2: NanoCore.ClientPluginHost
    • 0x7d74:$s2: FileCommand
    • 0xc776:$s4: PipeCreated
    • 0x6dbf:$s5: IClientLoggingHost
    36.2.RegSvcs.exe.5540000.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    36.2.RegSvcs.exe.5540000.3.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    36.2.RegSvcs.exe.63c0000.13.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1deb:$x1: NanoCore.ClientPluginHost
    • 0x1e24:$x2: IClientNetworkHost
    Click to see the 51 entries

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 7788, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
    Sigma detected: Scheduled temp file as task from temp locationShow sources
    Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HzzWxAPgBBRCvn' /XML 'C:\Users\user\AppData\Local\Temp\tmpB13C.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HzzWxAPgBBRCvn' /XML 'C:\Users\user\AppData\Local\Temp\tmpB13C.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\#U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe' , ParentImage: C:\Users\user\Desktop\#U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, ParentProcessId: 6764, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HzzWxAPgBBRCvn' /XML 'C:\Users\user\AppData\Local\Temp\tmpB13C.tmp', ProcessId: 6612

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Antivirus / Scanner detection for submitted sampleShow sources
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exeAvira: detected
    Antivirus detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Roaming\HzzWxAPgBBRCvn.exeAvira: detection malicious, Label: TR/AD.Nanocore.gvzge
    Multi AV Scanner detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Roaming\HzzWxAPgBBRCvn.exeVirustotal: Detection: 22%Perma Link
    Multi AV Scanner detection for submitted fileShow sources
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exeVirustotal: Detection: 22%Perma Link
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000024.00000002.642705112.00000000057D0000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000024.00000002.637920618.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000024.00000002.640372549.0000000003B5A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.481080971.0000000004071000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe PID: 6764, type: MEMORY
    Source: Yara matchFile source: 36.2.RegSvcs.exe.57d0000.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 36.2.RegSvcs.exe.57d0000.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 36.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
    Machine Learning detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Roaming\HzzWxAPgBBRCvn.exeJoe Sandbox ML: detected
    Machine Learning detection for sampleShow sources
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exeJoe Sandbox ML: detected
    Source: 36.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

    Networking:

    barindex
    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
    Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49739 -> 79.134.225.72:7094
    Source: global trafficTCP traffic: 192.168.2.3:49739 -> 79.134.225.72:7094
    Source: Joe Sandbox ViewIP Address: 79.134.225.72 79.134.225.72
    Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.72
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 36_2_04E2324A WSARecv,36_2_04E2324A
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000002.485294622.0000000005600000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
    Source: RegSvcs.exe, 00000024.00000002.643514287.00000000063B0000.00000004.00000001.sdmpString found in binary or memory: http://google.com
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000002.485294622.0000000005600000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000003.378872924.0000000005491000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000003.378737995.0000000005484000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com8Fr
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000003.378872924.0000000005491000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comC
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000003.378737995.0000000005484000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000002.485294622.0000000005600000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000002.485294622.0000000005600000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000002.485294622.0000000005600000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000002.485294622.0000000005600000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000002.485294622.0000000005600000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000002.485294622.0000000005600000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000002.485294622.0000000005600000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000002.485294622.0000000005600000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000002.485294622.0000000005600000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000002.485140113.0000000005480000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersico
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000002.485155849.000000000548E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdiaa.IbFy
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000002.485155849.000000000548E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comiI-F
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000002.485294622.0000000005600000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000002.485294622.0000000005600000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000003.378365266.000000000548B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000002.485294622.0000000005600000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000002.485294622.0000000005600000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000002.485294622.0000000005600000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000002.485294622.0000000005600000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000002.485294622.0000000005600000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000003.380129633.0000000005488000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000003.380314327.000000000548D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/.IbFy
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000003.380129633.0000000005488000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/4H
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000003.380314327.000000000548D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/EIIFy
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000003.380129633.0000000005488000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Kurs
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000003.380129633.0000000005488000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/do
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000003.380314327.000000000548D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/iI-F
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000003.380314327.000000000548D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000003.380129633.0000000005488000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/.IbFy
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000003.380314327.000000000548D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/rIFF
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000003.380129633.0000000005488000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/rIFF
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000003.379887898.0000000005488000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/rz
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000003.436650810.000000000549B000.00000004.00000001.sdmp, #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000003.379174181.000000000549B000.00000004.00000001.sdmp, #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000003.376381388.000000000549B000.00000004.00000001.sdmp, #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000002.485294622.0000000005600000.00000002.00000001.sdmp, #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000003.376365102.000000000549B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000002.485294622.0000000005600000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000002.485294622.0000000005600000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000002.485294622.0000000005600000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000002.485294622.0000000005600000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000002.485294622.0000000005600000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000003.378685838.0000000005484000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000003.378685838.0000000005484000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnP
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000003.378685838.0000000005484000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000003.378685838.0000000005484000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnr-f&v-F
    Source: RegSvcs.exe, 00000024.00000002.642705112.00000000057D0000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

    E-Banking Fraud:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000024.00000002.642705112.00000000057D0000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000024.00000002.637920618.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000024.00000002.640372549.0000000003B5A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.481080971.0000000004071000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe PID: 6764, type: MEMORY
    Source: Yara matchFile source: 36.2.RegSvcs.exe.57d0000.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 36.2.RegSvcs.exe.57d0000.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 36.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: 00000024.00000002.642664538.0000000005540000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000024.00000002.642705112.00000000057D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000024.00000002.637920618.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000024.00000002.637920618.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000024.00000002.643656637.0000000006410000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000024.00000002.643607984.00000000063F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000024.00000002.643378504.0000000006210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000024.00000002.643484205.0000000006390000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.481080971.0000000004071000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.481080971.0000000004071000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000024.00000002.643565807.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000024.00000002.643528586.00000000063C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000024.00000002.643715061.0000000006440000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000024.00000002.643514287.00000000063B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000024.00000002.643498319.00000000063A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000024.00000002.643187593.0000000005F50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000024.00000002.639740273.0000000002B54000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000024.00000003.510058037.0000000003FE7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000024.00000002.643434293.0000000006370000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000024.00000002.643335415.00000000061F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe PID: 6764, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe PID: 6764, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 36.2.RegSvcs.exe.61f0000.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 36.2.RegSvcs.exe.5540000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 36.2.RegSvcs.exe.63c0000.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 36.2.RegSvcs.exe.5f50000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 36.2.RegSvcs.exe.63f0000.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 36.2.RegSvcs.exe.6410000.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 36.2.RegSvcs.exe.6390000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 36.2.RegSvcs.exe.63b0000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 36.2.RegSvcs.exe.63e0000.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 36.2.RegSvcs.exe.5f50000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 36.2.RegSvcs.exe.57d0000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 36.2.RegSvcs.exe.57d0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 36.2.RegSvcs.exe.63f0000.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 36.2.RegSvcs.exe.6410000.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 36.2.RegSvcs.exe.63a0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 36.2.RegSvcs.exe.63c0000.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 36.2.RegSvcs.exe.61f0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 36.2.RegSvcs.exe.6390000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 36.2.RegSvcs.exe.63b0000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 36.2.RegSvcs.exe.6370000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 36.2.RegSvcs.exe.6440000.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 36.2.RegSvcs.exe.6210000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 36.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 36.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 36.2.RegSvcs.exe.6440000.17.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 36.2.RegSvcs.exe.6370000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 36.2.RegSvcs.exe.63e0000.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: C:\Users\user\Desktop\#U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exeCode function: 0_2_07102D7A NtQuerySystemInformation,0_2_07102D7A
    Source: C:\Users\user\Desktop\#U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exeCode function: 0_2_07102D49 NtQuerySystemInformation,0_2_07102D49
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 36_2_04E21DFE NtQuerySystemInformation,36_2_04E21DFE
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 36_2_04E21DB1 NtQuerySystemInformation,36_2_04E21DB1
    Source: C:\Users\user\Desktop\#U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exeCode function: 0_2_02CDD9300_2_02CDD930
    Source: C:\Users\user\Desktop\#U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exeCode function: 0_2_02CD7AE80_2_02CD7AE8
    Source: C:\Users\user\Desktop\#U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exeCode function: 0_2_02CD7AF80_2_02CD7AF8
    Source: C:\Users\user\Desktop\#U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exeCode function: 0_2_02CDE7D00_2_02CDE7D0
    Source: C:\Users\user\Desktop\#U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exeCode function: 0_2_02CDE7BF0_2_02CDE7BF
    Source: C:\Users\user\Desktop\#U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exeCode function: 0_2_02CD77780_2_02CD7778
    Source: C:\Users\user\Desktop\#U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exeCode function: 0_2_02CD7D480_2_02CD7D48
    Source: C:\Users\user\Desktop\#U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exeCode function: 0_2_02CDD9210_2_02CDD921
    Source: C:\Users\user\Desktop\#U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exeCode function: 0_2_02CD7D380_2_02CD7D38
    Source: C:\Users\user\Desktop\#U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exeCode function: 0_2_02CD18090_2_02CD1809
    Source: C:\Users\user\Desktop\#U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exeCode function: 0_2_02CD18180_2_02CD1818
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 36_2_05F61AA836_2_05F61AA8
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 36_2_05F502B036_2_05F502B0
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 36_2_04CE385036_2_04CE3850
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 36_2_04CE89D836_2_04CE89D8
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 36_2_04CEB2A836_2_04CEB2A8
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 36_2_04CE2FA836_2_04CE2FA8
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 36_2_04CE23A036_2_04CE23A0
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 36_2_04CE306F36_2_04CE306F
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 36_2_04CE95D836_2_04CE95D8
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 36_2_04CE9E8036_2_04CE9E80
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 36_2_04CE969F36_2_04CE969F
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exeBinary or memory string: OriginalFilename vs #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000002.489577279.0000000007CB0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamesamU.exe. vs #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000002.488897453.00000000070A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000002.489070101.0000000007250000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameButterFly.dll< vs #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000002.489265838.0000000007610000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000002.487508834.0000000006620000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEminem.dll< vs #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000002.489400513.0000000007710000.00000002.00000001.sdmpBinary or memory string: originalfilename vs #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, 00000000.00000002.489400513.0000000007710000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exeBinary or memory string: OriginalFilenamesamU.exe. vs #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe
    Source: 00000024.00000002.642664538.0000000005540000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000024.00000002.642664538.0000000005540000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000024.00000002.642705112.00000000057D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000024.00000002.642705112.00000000057D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000024.00000002.637920618.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000024.00000002.637920618.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000024.00000002.643656637.0000000006410000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000024.00000002.643656637.0000000006410000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000024.00000002.643607984.00000000063F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000024.00000002.643607984.00000000063F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000024.00000002.643378504.0000000006210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000024.00000002.643378504.0000000006210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000024.00000002.643484205.0000000006390000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000024.00000002.643484205.0000000006390000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000000.00000002.481080971.0000000004071000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000000.00000002.481080971.0000000004071000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000024.00000002.643565807.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000024.00000002.643565807.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000024.00000002.643528586.00000000063C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000024.00000002.643528586.00000000063C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000024.00000002.643715061.0000000006440000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000024.00000002.643715061.0000000006440000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000024.00000002.643514287.00000000063B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000024.00000002.643514287.00000000063B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000024.00000002.643498319.00000000063A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000024.00000002.643498319.00000000063A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000024.00000002.643187593.0000000005F50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000024.00000002.643187593.0000000005F50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000024.00000002.639740273.0000000002B54000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000024.00000003.510058037.0000000003FE7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000024.00000002.643434293.0000000006370000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000024.00000002.643434293.0000000006370000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000024.00000002.643335415.00000000061F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000024.00000002.643335415.00000000061F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: Process Memory Space: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe PID: 6764, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe PID: 6764, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 36.2.RegSvcs.exe.61f0000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 36.2.RegSvcs.exe.61f0000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 36.2.RegSvcs.exe.5540000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 36.2.RegSvcs.exe.5540000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 36.2.RegSvcs.exe.63c0000.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 36.2.RegSvcs.exe.63c0000.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 36.2.RegSvcs.exe.5f50000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 36.2.RegSvcs.exe.5f50000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 36.2.RegSvcs.exe.63f0000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 36.2.RegSvcs.exe.63f0000.15.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 36.2.RegSvcs.exe.6410000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 36.2.RegSvcs.exe.6410000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 36.2.RegSvcs.exe.6390000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 36.2.RegSvcs.exe.6390000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 36.2.RegSvcs.exe.63b0000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 36.2.RegSvcs.exe.63b0000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 36.2.RegSvcs.exe.63e0000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 36.2.RegSvcs.exe.63e0000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 36.2.RegSvcs.exe.5f50000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 36.2.RegSvcs.exe.5f50000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 36.2.RegSvcs.exe.57d0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 36.2.RegSvcs.exe.57d0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 36.2.RegSvcs.exe.57d0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 36.2.RegSvcs.exe.57d0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 36.2.RegSvcs.exe.63f0000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 36.2.RegSvcs.exe.63f0000.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 36.2.RegSvcs.exe.6410000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 36.2.RegSvcs.exe.6410000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 36.2.RegSvcs.exe.63a0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 36.2.RegSvcs.exe.63a0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 36.2.RegSvcs.exe.63c0000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 36.2.RegSvcs.exe.63c0000.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 36.2.RegSvcs.exe.61f0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 36.2.RegSvcs.exe.61f0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 36.2.RegSvcs.exe.6390000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 36.2.RegSvcs.exe.6390000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 36.2.RegSvcs.exe.63b0000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 36.2.RegSvcs.exe.63b0000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 36.2.RegSvcs.exe.6370000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 36.2.RegSvcs.exe.6370000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 36.2.RegSvcs.exe.6440000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 36.2.RegSvcs.exe.6440000.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 36.2.RegSvcs.exe.6210000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 36.2.RegSvcs.exe.6210000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 36.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 36.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 36.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 36.2.RegSvcs.exe.6440000.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 36.2.RegSvcs.exe.6440000.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 36.2.RegSvcs.exe.6370000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 36.2.RegSvcs.exe.6370000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 36.2.RegSvcs.exe.63e0000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 36.2.RegSvcs.exe.63e0000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: HzzWxAPgBBRCvn.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: #U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe, Frupal/End.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
    Source: HzzWxAPgBBRCvn.exe.0.dr, Frupal/End.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
    Source: 0.2.#U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe.750000.0.unpack, Frupal/End.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
    Source: 0.0.#U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exe.750000.0.unpack, Frupal/End.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
    Source: classification engineClassification label: mal100.troj.evad.winEXE@53/68@0/1
    Source: C:\Users\user\Desktop\#U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exeCode function: 0_2_07102BFE AdjustTokenPrivileges,0_2_07102BFE
    Source: C:\Users\user\Desktop\#U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exeCode function: 0_2_07102BC7 AdjustTokenPrivileges,0_2_07102BC7
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 36_2_04E21972 AdjustTokenPrivileges,36_2_04E21972
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 36_2_04E2193B AdjustTokenPrivileges,36_2_04E2193B
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP Monitor
    Source: C:\Users\user\Desktop\#U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exeFile created: C:\Users\user\AppData\Roaming\HzzWxAPgBBRCvn.exeJump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4112:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6948:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7264:120:WilError_01
    Source: C:\Users\user\Desktop\#U0111i#U1ec7n chuy#U1ec3n ti#U1ec1n 2002-Sacombank.exeMutant created: \Sessions\1\BaseNamedObjects\ICRqgzrBpsuLbSKUoTrt
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5804:120:WilError_01
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{1022c03a-4444-476e-81b0-4d7b2007e368}
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7096:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6996:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6172:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6088:120:WilError_01
    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6836:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4868:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6528:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5700:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7100:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1952:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:988:120:WilError_01