Play interactive tour

Edit tour

Analysis Report JMG Memo-Circular No 018-21.PDF.exe

Overview

General Information

Sample Name:	JMG Memo-Circular No 018-21.PDF.exe
Analysis ID:	356480
MD5:	f12d78ae2ce77b187e98b382bc400e6e
SHA1:	a4a09f0297221e8e3d8f510f139a10b30b9bb7e8
SHA256:	019dce879f64d1a5a23de8ae1d0eac08200954b26665232507187e7f524b4f24
Tags:	exeNanoCoreRAT
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Sigma detected: Suspicious Double Extension

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Nanocore RAT

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Uses an obfuscated file name to hide its real file extension (double extension)

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

JMG Memo-Circular No 018-21.PDF.exe (PID: 3540 cmdline: 'C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe' MD5: F12D78AE2CE77B187E98B382BC400E6E)

schtasks.exe (PID: 6568 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GmaLrlDR' /XML 'C:\Users\user\AppData\Local\Temp\tmp1B75.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

JMG Memo-Circular No 018-21.PDF.exe (PID: 6628 cmdline: {path} MD5: F12D78AE2CE77B187E98B382BC400E6E)

schtasks.exe (PID: 6864 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpC90F.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

JMG Memo-Circular No 018-21.PDF.exe (PID: 7000 cmdline: 'C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe' 0 MD5: F12D78AE2CE77B187E98B382BC400E6E)

schtasks.exe (PID: 5660 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GmaLrlDR' /XML 'C:\Users\user\AppData\Local\Temp\tmp8F7C.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

JMG Memo-Circular No 018-21.PDF.exe (PID: 6376 cmdline: {path} MD5: F12D78AE2CE77B187E98B382BC400E6E)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "c4cca249-81f6-4232-9f14-01569e09f5f0", "Group": "JANUARY", "Domain1": "shahzad73.casacam.net", "Domain2": "shahzad73.ddns.net", "Port": 9036, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.501005046.0000000006DD0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
00000007.00000002.501005046.0000000006DD0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
00000007.00000002.498456853.0000000005380000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
00000007.00000002.498456853.0000000005380000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
00000007.00000002.501098807.0000000006E10000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
00000007.00000002.501098807.0000000006E10000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
00000007.00000002.492270047.0000000002BFD000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2013e:$a: NanoCore 0x20163:$a: NanoCore 0x201bc:$a: NanoCore 0x3b49f:$a: NanoCore 0x3b4c5:$a: NanoCore 0x3b521:$a: NanoCore 0x483bb:$a: NanoCore 0x48414:$a: NanoCore 0x48447:$a: NanoCore 0x48673:$a: NanoCore 0x486ef:$a: NanoCore 0x48d08:$a: NanoCore 0x48e51:$a: NanoCore 0x49325:$a: NanoCore 0x4960c:$a: NanoCore 0x49623:$a: NanoCore 0x52507:$a: NanoCore 0x52583:$a: NanoCore 0x54e66:$a: NanoCore 0x59618:$a: NanoCore 0x59662:$a: NanoCore
00000007.00000002.496807047.0000000003E81000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x55d7f:$a: NanoCore 0x55e69:$a: NanoCore 0x56ce0:$a: NanoCore 0x5fe8a:$a: NanoCore 0x5feeb:$a: NanoCore 0x5ff2e:$a: NanoCore 0x5ff6e:$a: NanoCore 0x601aa:$a: NanoCore 0x6024a:$a: NanoCore 0x60a22:$a: NanoCore 0x61015:$a: NanoCore 0x61166:$a: NanoCore 0x61fc0:$a: NanoCore 0x62227:$a: NanoCore 0x6223c:$a: NanoCore 0x6225b:$a: NanoCore 0x6b15e:$a: NanoCore 0x6b187:$a: NanoCore 0x76f00:$a: NanoCore 0x76f29:$a: NanoCore 0x9bdec:$a: NanoCore
00000007.00000002.500985326.0000000006DC0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
00000007.00000002.500985326.0000000006DC0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
00000007.00000002.501114313.0000000006E20000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
00000007.00000002.501114313.0000000006E20000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
00000007.00000002.500970500.0000000006DB0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
00000007.00000002.500970500.0000000006DB0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
00000007.00000002.500950111.0000000006DA0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
00000007.00000002.500950111.0000000006DA0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
00000007.00000002.500819703.0000000006BF0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
00000007.00000002.500819703.0000000006BF0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
00000007.00000002.501154629.0000000006E60000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
00000007.00000002.501154629.0000000006E60000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
00000007.00000002.496443867.0000000003BE1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.501030742.0000000006DE0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
00000007.00000002.501030742.0000000006DE0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
00000000.00000002.280456931.00000000041C9000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xca58d:$x1: NanoCore.ClientPluginHost 0x1ab5cd:$x1: NanoCore.ClientPluginHost 0xca5ca:$x2: IClientNetworkHost 0x1ab60a:$x2: IClientNetworkHost 0xce0fd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1af13d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.280456931.00000000041C9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.280456931.00000000041C9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xca2f5:$a: NanoCore 0xca305:$a: NanoCore 0xca539:$a: NanoCore 0xca54d:$a: NanoCore 0xca58d:$a: NanoCore 0x1ab335:$a: NanoCore 0x1ab345:$a: NanoCore 0x1ab579:$a: NanoCore 0x1ab58d:$a: NanoCore 0x1ab5cd:$a: NanoCore 0xca354:$b: ClientPlugin 0xca556:$b: ClientPlugin 0xca596:$b: ClientPlugin 0x1ab394:$b: ClientPlugin 0x1ab596:$b: ClientPlugin 0x1ab5d6:$b: ClientPlugin 0xca47b:$c: ProjectData 0x1ab4bb:$c: ProjectData 0xcae82:$d: DESCrypto 0x1abec2:$d: DESCrypto 0xd284e:$e: KeepAlive
00000007.00000002.500935667.0000000006D90000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
00000007.00000002.500935667.0000000006D90000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
00000007.00000002.498042432.0000000005230000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000007.00000002.498042432.0000000005230000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000007.00000002.498042432.0000000005230000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000013.00000002.366475568.0000000003151000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000013.00000002.366475568.0000000003151000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x694f7:$a: NanoCore 0x69550:$a: NanoCore 0x6958d:$a: NanoCore 0x69606:$a: NanoCore 0x69559:$b: ClientPlugin 0x69596:$b: ClientPlugin 0x69e94:$b: ClientPlugin 0x69ea1:$b: ClientPlugin 0x5f67a:$e: KeepAlive 0x699e1:$g: LogClientMessage 0x69961:$i: get_Connected 0x5992d:$j: #=q 0x5995d:$j: #=q 0x59999:$j: #=q 0x599c1:$j: #=q 0x599f1:$j: #=q 0x59a21:$j: #=q 0x59a51:$j: #=q 0x59a81:$j: #=q 0x59a9d:$j: #=q 0x59acd:$j: #=q
0000000D.00000002.352208720.0000000003E79000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x64b2d:$x1: NanoCore.ClientPluginHost 0xca58d:$x1: NanoCore.ClientPluginHost 0x64b6a:$x2: IClientNetworkHost 0xca5ca:$x2: IClientNetworkHost 0x6869d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xce0fd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000D.00000002.352208720.0000000003E79000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000002.352208720.0000000003E79000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x64895:$a: NanoCore 0x648a5:$a: NanoCore 0x64ad9:$a: NanoCore 0x64aed:$a: NanoCore 0x64b2d:$a: NanoCore 0xca2f5:$a: NanoCore 0xca305:$a: NanoCore 0xca539:$a: NanoCore 0xca54d:$a: NanoCore 0xca58d:$a: NanoCore 0x648f4:$b: ClientPlugin 0x64af6:$b: ClientPlugin 0x64b36:$b: ClientPlugin 0xca354:$b: ClientPlugin 0xca556:$b: ClientPlugin 0xca596:$b: ClientPlugin 0x64a1b:$c: ProjectData 0xca47b:$c: ProjectData 0x65422:$d: DESCrypto 0xcae82:$d: DESCrypto 0x6cdee:$e: KeepAlive
00000007.00000002.496714685.0000000003DA4000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.496714685.0000000003DA4000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x777d:$a: NanoCore 0x7795:$a: NanoCore 0x77ba:$a: NanoCore 0x109d9:$a: NanoCore 0x10a32:$a: NanoCore 0x10a6f:$a: NanoCore 0x10ae8:$a: NanoCore 0x24193:$a: NanoCore 0x241a8:$a: NanoCore 0x241dd:$a: NanoCore 0x31df2:$a: NanoCore 0x31e17:$a: NanoCore 0x31e70:$a: NanoCore 0x4200d:$a: NanoCore 0x42033:$a: NanoCore 0x4208f:$a: NanoCore 0x4eee4:$a: NanoCore 0x4ef3d:$a: NanoCore 0x4ef70:$a: NanoCore 0x4f19c:$a: NanoCore 0x4f218:$a: NanoCore
00000007.00000002.488093735.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000002.488093735.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.488093735.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000007.00000002.492154123.0000000002B91000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.501047468.0000000006DF0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
00000007.00000002.501047468.0000000006DF0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
00000013.00000002.366560257.0000000004159000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000013.00000002.366560257.0000000004159000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x435cd:$a: NanoCore 0x43626:$a: NanoCore 0x43663:$a: NanoCore 0x436dc:$a: NanoCore 0x56d87:$a: NanoCore 0x56d9c:$a: NanoCore 0x56dd1:$a: NanoCore 0x6fd7b:$a: NanoCore 0x6fd90:$a: NanoCore 0x6fdc5:$a: NanoCore 0x4362f:$b: ClientPlugin 0x4366c:$b: ClientPlugin 0x43f6a:$b: ClientPlugin 0x43f77:$b: ClientPlugin 0x56b43:$b: ClientPlugin 0x56b5e:$b: ClientPlugin 0x56b8e:$b: ClientPlugin 0x56da5:$b: ClientPlugin 0x56dda:$b: ClientPlugin 0x6fb37:$b: ClientPlugin 0x6fb52:$b: ClientPlugin
00000007.00000002.497599353.0000000005170000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000007.00000002.497599353.0000000005170000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000013.00000002.365338773.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000013.00000002.365338773.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000013.00000002.365338773.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
Process Memory Space: JMG Memo-Circular No 018-21.PDF.exe PID: 3540	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xc3367:$x1: NanoCore.ClientPluginHost 0x10bcca:$x1: NanoCore.ClientPluginHost 0xc33c8:$x2: IClientNetworkHost 0x10bd2b:$x2: IClientNetworkHost 0xc87cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xd673f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x111130:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x11f0a2:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: JMG Memo-Circular No 018-21.PDF.exe PID: 3540	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: JMG Memo-Circular No 018-21.PDF.exe PID: 3540	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xc2e6c:$a: NanoCore 0xc2e88:$a: NanoCore 0xc2fe3:$a: NanoCore 0xc2ff2:$a: NanoCore 0xc32cb:$a: NanoCore 0xc32f7:$a: NanoCore 0xc3367:$a: NanoCore 0xd2da9:$a: NanoCore 0xd2dbb:$a: NanoCore 0xd2df7:$a: NanoCore 0x10b7cf:$a: NanoCore 0x10b7eb:$a: NanoCore 0x10b946:$a: NanoCore 0x10b955:$a: NanoCore 0x10bc2e:$a: NanoCore 0x10bc5a:$a: NanoCore 0x10bcca:$a: NanoCore 0x11b70c:$a: NanoCore 0x11b71e:$a: NanoCore 0x11b75a:$a: NanoCore 0xc2f13:$b: ClientPlugin
Process Memory Space: JMG Memo-Circular No 018-21.PDF.exe PID: 6376	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x7ed7b:$x1: NanoCore.ClientPluginHost 0x8720a:$x1: NanoCore.ClientPluginHost 0x8cdc9:$x1: NanoCore.ClientPluginHost 0x9e18d:$x1: NanoCore.ClientPluginHost 0xae982:$x1: NanoCore.ClientPluginHost 0x7eda1:$x2: IClientNetworkHost 0x87230:$x2: IClientNetworkHost 0x8ce0e:$x2: IClientNetworkHost 0x9e1d2:$x2: IClientNetworkHost 0xae9e3:$x2: IClientNetworkHost 0xb3de8:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xc1d5a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: JMG Memo-Circular No 018-21.PDF.exe PID: 6376	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: JMG Memo-Circular No 018-21.PDF.exe PID: 6376	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x57772:$a: NanoCore 0x577d9:$a: NanoCore 0x5787d:$a: NanoCore 0x7ec6d:$a: NanoCore 0x7ed0e:$a: NanoCore 0x7ed7b:$a: NanoCore 0x7ee3c:$a: NanoCore 0x7fd0d:$a: NanoCore 0x7fd60:$a: NanoCore 0x7fd99:$a: NanoCore 0x7fe0c:$a: NanoCore 0x81753:$a: NanoCore 0x81837:$a: NanoCore 0x81853:$a: NanoCore 0x8186f:$a: NanoCore 0x8188b:$a: NanoCore 0x870fc:$a: NanoCore 0x8719d:$a: NanoCore 0x8720a:$a: NanoCore 0x872cb:$a: NanoCore 0x8819c:$a: NanoCore
Process Memory Space: JMG Memo-Circular No 018-21.PDF.exe PID: 6628	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x18ce1:$x1: NanoCore.ClientPluginHost 0x3dd3d:$x1: NanoCore.ClientPluginHost 0x77ebc:$x1: NanoCore.ClientPluginHost 0x84699:$x1: NanoCore.ClientPluginHost 0x97215:$x1: NanoCore.ClientPluginHost 0x9a265:$x1: NanoCore.ClientPluginHost 0x9f29f:$x1: NanoCore.ClientPluginHost 0xa1607:$x1: NanoCore.ClientPluginHost 0xa565a:$x1: NanoCore.ClientPluginHost 0xac811:$x1: NanoCore.ClientPluginHost 0xb167e:$x1: NanoCore.ClientPluginHost 0xbde58:$x1: NanoCore.ClientPluginHost 0xc4f7e:$x1: NanoCore.ClientPluginHost 0xeac1d:$x1: NanoCore.ClientPluginHost 0xf1dc1:$x1: NanoCore.ClientPluginHost 0xf6c1c:$x1: NanoCore.ClientPluginHost 0x1033f6:$x1: NanoCore.ClientPluginHost 0x11ed96:$x1: NanoCore.ClientPluginHost 0x12d751:$x1: NanoCore.ClientPluginHost 0x1439c5:$x1: NanoCore.ClientPluginHost 0x19a044:$x1: NanoCore.ClientPluginHost
Process Memory Space: JMG Memo-Circular No 018-21.PDF.exe PID: 6628	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: JMG Memo-Circular No 018-21.PDF.exe PID: 6628	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x18ce1:$a: NanoCore 0x18d5e:$a: NanoCore 0x18e41:$a: NanoCore 0x3dd3d:$a: NanoCore 0x3dedb:$a: NanoCore 0x3f895:$a: NanoCore 0x414b2:$a: NanoCore 0x4158d:$a: NanoCore 0x422ff:$a: NanoCore 0x77e7f:$a: NanoCore 0x77ebc:$a: NanoCore 0x77f45:$a: NanoCore 0x7d2dd:$a: NanoCore 0x7d300:$a: NanoCore 0x7d355:$a: NanoCore 0x8465b:$a: NanoCore 0x84699:$a: NanoCore 0x84725:$a: NanoCore 0x8f0c2:$a: NanoCore 0x8f0e6:$a: NanoCore 0x8f13e:$a: NanoCore
Click to see the 55 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.JMG Memo-Circular No 018-21.PDF.exe.6de0000.31.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.6de0000.31.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.3ef4a1e.17.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.3ef4a1e.17.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.6e60000.37.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x41ee:$x1: NanoCore.ClientPluginHost 0x422b:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.6e60000.37.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x41ee:$x2: NanoCore.ClientPluginHost 0x7641:$s4: PipeCreated 0x4218:$s5: IClientLoggingHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.3bf9618.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.3bf9618.11.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.3bf9618.11.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.JMG Memo-Circular No 018-21.PDF.exe.6d90000.26.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.6d90000.26.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.2c185a8.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.2c185a8.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
7.2.JMG Memo-Circular No 018-21.PDF.exe.3b99930.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.3b99930.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.5230000.20.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.5230000.20.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.5230000.20.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.JMG Memo-Circular No 018-21.PDF.exe.6e20000.34.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.6e20000.34.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.6da0000.27.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.6da0000.27.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.6bf0000.25.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.6bf0000.25.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.3b99930.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.3b99930.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.3ef4a1e.17.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x2840f:$x1: NanoCore.ClientPluginHost 0x3784f:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost 0x28429:$x2: IClientNetworkHost 0x3788c:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.3ef4a1e.17.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x2840f:$x2: NanoCore.ClientPluginHost 0x3784f:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x2b74c:$s4: PipeCreated 0x3aca2:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost 0x283fc:$s5: IClientLoggingHost 0x37879:$s5: IClientLoggingHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.JMG Memo-Circular No 018-21.PDF.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.JMG Memo-Circular No 018-21.PDF.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
7.2.JMG Memo-Circular No 018-21.PDF.exe.3edd7bf.16.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0xe9c8:$x1: NanoCore.ClientPluginHost 0x1a76a:$x1: NanoCore.ClientPluginHost 0x3f66e:$x1: NanoCore.ClientPluginHost 0x4eaae:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost 0xe9e2:$x2: IClientNetworkHost 0x1a784:$x2: IClientNetworkHost 0x3f688:$x2: IClientNetworkHost 0x4eaeb:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.3edd7bf.16.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0xe9c8:$x2: NanoCore.ClientPluginHost 0x1a76a:$x2: NanoCore.ClientPluginHost 0x3f66e:$x2: NanoCore.ClientPluginHost 0x4eaae:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0xf9fd:$s4: PipeCreated 0x1c515:$s4: PipeCreated 0x429ab:$s4: PipeCreated 0x51f01:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost 0xe9b5:$s5: IClientLoggingHost 0x1a757:$s5: IClientLoggingHost 0x3f65b:$s5: IClientLoggingHost 0x4ead8:$s5: IClientLoggingHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.3edd7bf.16.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x36cb:$a: NanoCore 0x372c:$a: NanoCore 0x376f:$a: NanoCore 0x37af:$a: NanoCore 0x39eb:$a: NanoCore 0x3a8b:$a: NanoCore 0x4263:$a: NanoCore 0x4856:$a: NanoCore 0x49a7:$a: NanoCore 0x5801:$a: NanoCore 0x5a68:$a: NanoCore 0x5a7d:$a: NanoCore 0x5a9c:$a: NanoCore 0xe99f:$a: NanoCore 0xe9c8:$a: NanoCore 0x1a741:$a: NanoCore 0x1a76a:$a: NanoCore 0x3f62d:$a: NanoCore 0x3f645:$a: NanoCore 0x3f66e:$a: NanoCore 0x4ea71:$a: NanoCore
7.2.JMG Memo-Circular No 018-21.PDF.exe.6dd0000.30.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.6dd0000.30.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.6e2e8a4.36.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.6e2e8a4.36.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x10937:$x2: NanoCore.ClientPluginHost 0x13c74:$s4: PipeCreated 0x10924:$s5: IClientLoggingHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.3ee65ee.15.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0xcd3b:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost 0xcd55:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.3ee65ee.15.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3d99:$x2: NanoCore.ClientPluginHost 0xcd3b:$x2: NanoCore.ClientPluginHost 0x4dce:$s4: PipeCreated 0x3d86:$s5: IClientLoggingHost 0xcd28:$s5: IClientLoggingHost
13.2.JMG Memo-Circular No 018-21.PDF.exe.3f33400.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
13.2.JMG Memo-Circular No 018-21.PDF.exe.3f33400.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
13.2.JMG Memo-Circular No 018-21.PDF.exe.3f33400.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.JMG Memo-Circular No 018-21.PDF.exe.3f33400.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
7.2.JMG Memo-Circular No 018-21.PDF.exe.5230000.20.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.5230000.20.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.5230000.20.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.JMG Memo-Circular No 018-21.PDF.exe.41a4c4d.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24178:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241a5:$x2: IClientNetworkHost
19.2.JMG Memo-Circular No 018-21.PDF.exe.41a4c4d.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24178:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x25253:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x24192:$s5: IClientLoggingHost
19.2.JMG Memo-Circular No 018-21.PDF.exe.41a4c4d.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.JMG Memo-Circular No 018-21.PDF.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
19.2.JMG Memo-Circular No 018-21.PDF.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
19.2.JMG Memo-Circular No 018-21.PDF.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.JMG Memo-Circular No 018-21.PDF.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
7.2.JMG Memo-Circular No 018-21.PDF.exe.6e10000.33.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.6e10000.33.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.5380000.23.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.5380000.23.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
7.2.JMG Memo-Circular No 018-21.PDF.exe.6df0000.32.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.6df0000.32.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
13.2.JMG Memo-Circular No 018-21.PDF.exe.3f33400.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
13.2.JMG Memo-Circular No 018-21.PDF.exe.3f33400.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
13.2.JMG Memo-Circular No 018-21.PDF.exe.3f33400.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.JMG Memo-Circular No 018-21.PDF.exe.3f33400.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
7.2.JMG Memo-Circular No 018-21.PDF.exe.3be4c4d.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24178:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241a5:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.3be4c4d.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24178:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x25253:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x24192:$s5: IClientLoggingHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.3be4c4d.10.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.JMG Memo-Circular No 018-21.PDF.exe.31b9718.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
19.2.JMG Memo-Circular No 018-21.PDF.exe.31b9718.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.2bbcab0.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.2bbcab0.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.3db8a30.13.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.3db8a30.13.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.3db8a30.13.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.JMG Memo-Circular No 018-21.PDF.exe.2c2f920.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.2c2f920.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.2c43f90.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0xb577:$x1: NanoCore.ClientPluginHost 0x12688:$x1: NanoCore.ClientPluginHost 0x18955:$x1: NanoCore.ClientPluginHost 0x22fa7:$x1: NanoCore.ClientPluginHost 0x2d417:$x1: NanoCore.ClientPluginHost 0x3843d:$x1: NanoCore.ClientPluginHost 0x44227:$x1: NanoCore.ClientPluginHost 0x4ffe6:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost 0xb5b0:$x2: IClientNetworkHost 0x1898e:$x2: IClientNetworkHost 0x23104:$x2: IClientNetworkHost 0x2d450:$x2: IClientNetworkHost 0x38457:$x2: IClientNetworkHost 0x44241:$x2: IClientNetworkHost 0x50023:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.2c43f90.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0xb577:$x2: NanoCore.ClientPluginHost 0x12688:$x2: NanoCore.ClientPluginHost 0x18955:$x2: NanoCore.ClientPluginHost 0x22fa7:$x2: NanoCore.ClientPluginHost 0x2d417:$x2: NanoCore.ClientPluginHost 0x3843d:$x2: NanoCore.ClientPluginHost 0x44227:$x2: NanoCore.ClientPluginHost 0x4ffe6:$x2: NanoCore.ClientPluginHost 0x23efd:$s3: PipeExists 0x1800:$s4: PipeCreated 0xb67b:$s4: PipeCreated 0x12766:$s4: PipeCreated 0x18a70:$s4: PipeCreated 0x2319d:$s4: PipeCreated 0x2d562:$s4: PipeCreated 0x39472:$s4: PipeCreated 0x45fd2:$s4: PipeCreated 0x53439:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost 0xb591:$s5: IClientLoggingHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.2c43f90.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0xb577:$a: NanoCore 0xb5f3:$a: NanoCore 0xded6:$a: NanoCore 0x12688:$a: NanoCore 0x126d2:$a: NanoCore 0x1332c:$a: NanoCore 0x18955:$a: NanoCore 0x189cf:$a: NanoCore 0x22fa7:$a: NanoCore 0x23091:$a: NanoCore 0x23f08:$a: NanoCore
19.2.JMG Memo-Circular No 018-21.PDF.exe.41a0624.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287a1:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287ce:$x2: IClientNetworkHost
19.2.JMG Memo-Circular No 018-21.PDF.exe.41a0624.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287a1:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x2987c:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287bb:$s5: IClientLoggingHost
19.2.JMG Memo-Circular No 018-21.PDF.exe.41a0624.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.JMG Memo-Circular No 018-21.PDF.exe.41a0624.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
19.2.JMG Memo-Circular No 018-21.PDF.exe.41a0624.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
19.2.JMG Memo-Circular No 018-21.PDF.exe.41a0624.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.JMG Memo-Circular No 018-21.PDF.exe.3b9e5cf.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.3b9e5cf.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a53c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.6e24c9f.35.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.6e24c9f.35.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a53c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.6e10000.33.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.6e10000.33.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.6bf0000.25.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.6bf0000.25.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.5234629.21.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.5234629.21.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.6df0000.32.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.5234629.21.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.JMG Memo-Circular No 018-21.PDF.exe.6df0000.32.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3d99:$x2: NanoCore.ClientPluginHost 0x4dce:$s4: PipeCreated 0x3d86:$s5: IClientLoggingHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.3edd7bf.16.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.3edd7bf.16.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.6da0000.27.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3f0b:$x1: NanoCore.ClientPluginHost 0x3f44:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.6da0000.27.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3f0b:$x2: NanoCore.ClientPluginHost 0x400f:$s4: PipeCreated 0x3f25:$s5: IClientLoggingHost
0.2.JMG Memo-Circular No 018-21.PDF.exe.4283400.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.JMG Memo-Circular No 018-21.PDF.exe.4283400.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.JMG Memo-Circular No 018-21.PDF.exe.4283400.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.JMG Memo-Circular No 018-21.PDF.exe.4283400.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
7.2.JMG Memo-Circular No 018-21.PDF.exe.3ee65ee.15.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x1193b:$x1: NanoCore.ClientPluginHost 0x3683f:$x1: NanoCore.ClientPluginHost 0x45c7f:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost 0x11955:$x2: IClientNetworkHost 0x36859:$x2: IClientNetworkHost 0x45cbc:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.3ee65ee.15.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x1193b:$x2: NanoCore.ClientPluginHost 0x3683f:$x2: NanoCore.ClientPluginHost 0x45c7f:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x136e6:$s4: PipeCreated 0x39b7c:$s4: PipeCreated 0x490d2:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost 0x11928:$s5: IClientLoggingHost 0x3682c:$s5: IClientLoggingHost 0x45ca9:$s5: IClientLoggingHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.6dd0000.30.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3deb:$x1: NanoCore.ClientPluginHost 0x3f48:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.6dd0000.30.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3deb:$x2: NanoCore.ClientPluginHost 0x4d41:$s3: PipeExists 0x3fe1:$s4: PipeCreated 0x3e05:$s5: IClientLoggingHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.6db0000.28.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.6db0000.28.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.6e60000.37.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.6e60000.37.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.3bf9618.11.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.3bf9618.11.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.3bf9618.11.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.JMG Memo-Circular No 018-21.PDF.exe.4283400.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0xf11cd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0xf120a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xf4d3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.JMG Memo-Circular No 018-21.PDF.exe.4283400.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.JMG Memo-Circular No 018-21.PDF.exe.4283400.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xf0f35:$a: NanoCore 0xf0f45:$a: NanoCore 0xf1179:$a: NanoCore 0xf118d:$a: NanoCore 0xf11cd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0xf0f94:$b: ClientPlugin 0xf1196:$b: ClientPlugin 0xf11d6:$b: ClientPlugin 0x1007b:$c: ProjectData 0xf10bb:$c: ProjectData 0x10a82:$d: DESCrypto 0xf1ac2:$d: DESCrypto 0x1844e:$e: KeepAlive
7.2.JMG Memo-Circular No 018-21.PDF.exe.5170000.19.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.5170000.19.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.3bfdc41.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.3bfdc41.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.3bfdc41.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.JMG Memo-Circular No 018-21.PDF.exe.6e20000.34.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.6e20000.34.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.6dc0000.29.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.6dc0000.29.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
19.2.JMG Memo-Circular No 018-21.PDF.exe.419b7ee.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5d7:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d604:$x2: IClientNetworkHost
19.2.JMG Memo-Circular No 018-21.PDF.exe.419b7ee.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5d7:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6b2:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5f1:$s5: IClientLoggingHost
19.2.JMG Memo-Circular No 018-21.PDF.exe.419b7ee.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.JMG Memo-Circular No 018-21.PDF.exe.419b7ee.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d58d:$a: NanoCore 0x2d5a2:$a: NanoCore 0x2d5d7:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d349:$b: ClientPlugin 0x2d364:$b: ClientPlugin
7.2.JMG Memo-Circular No 018-21.PDF.exe.6de0000.31.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.6de0000.31.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.2c185a8.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x1ff1d:$x1: NanoCore.ClientPluginHost 0x2d0cb:$x1: NanoCore.ClientPluginHost 0x36f5f:$x1: NanoCore.ClientPluginHost 0x3e070:$x1: NanoCore.ClientPluginHost 0x4433d:$x1: NanoCore.ClientPluginHost 0x4e98f:$x1: NanoCore.ClientPluginHost 0x58dff:$x1: NanoCore.ClientPluginHost 0x63e25:$x1: NanoCore.ClientPluginHost 0x6fc0f:$x1: NanoCore.ClientPluginHost 0x7b9ce:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x1ff4a:$x2: IClientNetworkHost 0x2d104:$x2: IClientNetworkHost 0x36f98:$x2: IClientNetworkHost 0x44376:$x2: IClientNetworkHost 0x4eaec:$x2: IClientNetworkHost 0x58e38:$x2: IClientNetworkHost 0x63e3f:$x2: IClientNetworkHost 0x6fc29:$x2: IClientNetworkHost 0x7ba0b:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.2c185a8.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x1ff1d:$x2: NanoCore.ClientPluginHost 0x2d0cb:$x2: NanoCore.ClientPluginHost 0x36f5f:$x2: NanoCore.ClientPluginHost 0x3e070:$x2: NanoCore.ClientPluginHost 0x4433d:$x2: NanoCore.ClientPluginHost 0x4e98f:$x2: NanoCore.ClientPluginHost 0x58dff:$x2: NanoCore.ClientPluginHost 0x63e25:$x2: NanoCore.ClientPluginHost 0x6fc0f:$x2: NanoCore.ClientPluginHost 0x7b9ce:$x2: NanoCore.ClientPluginHost 0x20eec:$s2: FileCommand 0x4f8e5:$s3: PipeExists 0x6a6b:$s4: PipeCreated 0x258ee:$s4: PipeCreated 0x2d1e8:$s4: PipeCreated 0x37063:$s4: PipeCreated 0x3e14e:$s4: PipeCreated 0x44458:$s4: PipeCreated 0x4eb85:$s4: PipeCreated 0x58f4a:$s4: PipeCreated
7.2.JMG Memo-Circular No 018-21.PDF.exe.2c185a8.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x1fef7:$a: NanoCore 0x1ff1d:$a: NanoCore 0x1ff79:$a: NanoCore 0x2ce13:$a: NanoCore 0x2ce6c:$a: NanoCore 0x2ce9f:$a: NanoCore 0x2d0cb:$a: NanoCore 0x2d147:$a: NanoCore 0x2d760:$a: NanoCore 0x2d8a9:$a: NanoCore 0x2dd7d:$a: NanoCore 0x2e064:$a: NanoCore 0x2e07b:$a: NanoCore 0x36f5f:$a: NanoCore 0x36fdb:$a: NanoCore 0x398be:$a: NanoCore 0x3e070:$a: NanoCore 0x3e0ba:$a: NanoCore
7.2.JMG Memo-Circular No 018-21.PDF.exe.5380000.23.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.5380000.23.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
7.2.JMG Memo-Circular No 018-21.PDF.exe.6dc0000.29.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x605:$x1: NanoCore.ClientPluginHost 0x63e:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.6dc0000.29.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x605:$x2: NanoCore.ClientPluginHost 0x720:$s4: PipeCreated 0x61f:$s5: IClientLoggingHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.3da57cc.14.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x41ee:$x1: NanoCore.ClientPluginHost 0x422b:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.3da57cc.14.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x41ee:$x2: NanoCore.ClientPluginHost 0x7641:$s4: PipeCreated 0x4218:$s5: IClientLoggingHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.3da57cc.14.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0xf2a3:$x1: NanoCore.ClientPluginHost 0x22a11:$x1: NanoCore.ClientPluginHost 0x3064b:$x1: NanoCore.ClientPluginHost 0x40867:$x1: NanoCore.ClientPluginHost 0x4d9d0:$x1: NanoCore.ClientPluginHost 0x530c3:$x1: NanoCore.ClientPluginHost 0x5934c:$x1: NanoCore.ClientPluginHost 0x6395b:$x1: NanoCore.ClientPluginHost 0x6dd86:$x1: NanoCore.ClientPluginHost 0x78d63:$x1: NanoCore.ClientPluginHost 0x84b05:$x1: NanoCore.ClientPluginHost 0xa9a09:$x1: NanoCore.ClientPluginHost 0xb8e49:$x1: NanoCore.ClientPluginHost 0xc609e:$x1: NanoCore.ClientPluginHost 0xd107b:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost 0xf2bd:$x2: IClientNetworkHost 0x22a3e:$x2: IClientNetworkHost 0x30675:$x2: IClientNetworkHost 0x40894:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.3da57cc.14.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.JMG Memo-Circular No 018-21.PDF.exe.3da57cc.14.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x5fb1:$a: NanoCore 0x5fc9:$a: NanoCore 0x5fee:$a: NanoCore 0xf20d:$a: NanoCore 0xf266:$a: NanoCore 0xf2a3:$a: NanoCore 0xf31c:$a: NanoCore 0x229c7:$a: NanoCore 0x229dc:$a: NanoCore 0x22a11:$a: NanoCore 0x30626:$a: NanoCore 0x3064b:$a: NanoCore 0x306a4:$a: NanoCore 0x40841:$a: NanoCore 0x40867:$a: NanoCore 0x408c3:$a: NanoCore 0x4d718:$a: NanoCore 0x4d771:$a: NanoCore 0x4d7a4:$a: NanoCore 0x4d9d0:$a: NanoCore 0x4da4c:$a: NanoCore
7.2.JMG Memo-Circular No 018-21.PDF.exe.2c2f920.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d53:$x1: NanoCore.ClientPluginHost 0x1fbe7:$x1: NanoCore.ClientPluginHost 0x26cf8:$x1: NanoCore.ClientPluginHost 0x2cfc5:$x1: NanoCore.ClientPluginHost 0x37617:$x1: NanoCore.ClientPluginHost 0x41a87:$x1: NanoCore.ClientPluginHost 0x4caad:$x1: NanoCore.ClientPluginHost 0x58897:$x1: NanoCore.ClientPluginHost 0x64656:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d8c:$x2: IClientNetworkHost 0x1fc20:$x2: IClientNetworkHost 0x2cffe:$x2: IClientNetworkHost 0x37774:$x2: IClientNetworkHost 0x41ac0:$x2: IClientNetworkHost 0x4cac7:$x2: IClientNetworkHost 0x588b1:$x2: IClientNetworkHost 0x64693:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.2c2f920.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x15d53:$x2: NanoCore.ClientPluginHost 0x1fbe7:$x2: NanoCore.ClientPluginHost 0x26cf8:$x2: NanoCore.ClientPluginHost 0x2cfc5:$x2: NanoCore.ClientPluginHost 0x37617:$x2: NanoCore.ClientPluginHost 0x41a87:$x2: NanoCore.ClientPluginHost 0x4caad:$x2: NanoCore.ClientPluginHost 0x58897:$x2: NanoCore.ClientPluginHost 0x64656:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0x3856d:$s3: PipeExists 0xe576:$s4: PipeCreated 0x15e70:$s4: PipeCreated 0x1fceb:$s4: PipeCreated 0x26dd6:$s4: PipeCreated 0x2d0e0:$s4: PipeCreated 0x3780d:$s4: PipeCreated 0x41bd2:$s4: PipeCreated 0x4dae2:$s4: PipeCreated 0x5a642:$s4: PipeCreated
7.2.JMG Memo-Circular No 018-21.PDF.exe.2c2f920.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a9b:$a: NanoCore 0x15af4:$a: NanoCore 0x15b27:$a: NanoCore 0x15d53:$a: NanoCore 0x15dcf:$a: NanoCore 0x163e8:$a: NanoCore 0x16531:$a: NanoCore 0x16a05:$a: NanoCore 0x16cec:$a: NanoCore 0x16d03:$a: NanoCore 0x1fbe7:$a: NanoCore 0x1fc63:$a: NanoCore 0x22546:$a: NanoCore 0x26cf8:$a: NanoCore 0x26d42:$a: NanoCore 0x2799c:$a: NanoCore 0x2cfc5:$a: NanoCore 0x2d03f:$a: NanoCore
7.2.JMG Memo-Circular No 018-21.PDF.exe.3ba81d4.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10937:$x1: NanoCore.ClientPluginHost 0x10951:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.3ba81d4.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x10937:$x2: NanoCore.ClientPluginHost 0x13c74:$s4: PipeCreated 0x10924:$s5: IClientLoggingHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.3db3bfa.12.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2221d:$x1: NanoCore.ClientPluginHost 0x32439:$x1: NanoCore.ClientPluginHost 0x3f5a2:$x1: NanoCore.ClientPluginHost 0x44c95:$x1: NanoCore.ClientPluginHost 0x4af1e:$x1: NanoCore.ClientPluginHost 0x5552d:$x1: NanoCore.ClientPluginHost 0x5f958:$x1: NanoCore.ClientPluginHost 0x6a935:$x1: NanoCore.ClientPluginHost 0x766d7:$x1: NanoCore.ClientPluginHost 0x9b5db:$x1: NanoCore.ClientPluginHost 0xaaa1b:$x1: NanoCore.ClientPluginHost 0xb7c70:$x1: NanoCore.ClientPluginHost 0xc2c4d:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x22247:$x2: IClientNetworkHost 0x32466:$x2: IClientNetworkHost 0x3f5db:$x2: IClientNetworkHost 0x4af57:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.3db3bfa.12.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.JMG Memo-Circular No 018-21.PDF.exe.3db3bfa.12.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x221f8:$a: NanoCore 0x2221d:$a: NanoCore 0x22276:$a: NanoCore 0x32413:$a: NanoCore 0x32439:$a: NanoCore 0x32495:$a: NanoCore 0x3f2ea:$a: NanoCore 0x3f343:$a: NanoCore 0x3f376:$a: NanoCore 0x3f5a2:$a: NanoCore 0x3f61e:$a: NanoCore 0x3fc37:$a: NanoCore 0x3fd80:$a: NanoCore 0x40254:$a: NanoCore
7.2.JMG Memo-Circular No 018-21.PDF.exe.3db8a30.13.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x1d3e7:$x1: NanoCore.ClientPluginHost 0x2d603:$x1: NanoCore.ClientPluginHost 0x3a76c:$x1: NanoCore.ClientPluginHost 0x3fe5f:$x1: NanoCore.ClientPluginHost 0x460e8:$x1: NanoCore.ClientPluginHost 0x506f7:$x1: NanoCore.ClientPluginHost 0x5ab22:$x1: NanoCore.ClientPluginHost 0x65aff:$x1: NanoCore.ClientPluginHost 0x718a1:$x1: NanoCore.ClientPluginHost 0x967a5:$x1: NanoCore.ClientPluginHost 0xa5be5:$x1: NanoCore.ClientPluginHost 0xb2e3a:$x1: NanoCore.ClientPluginHost 0xbde17:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x1d411:$x2: IClientNetworkHost 0x2d630:$x2: IClientNetworkHost 0x3a7a5:$x2: IClientNetworkHost 0x46121:$x2: IClientNetworkHost 0x50854:$x2: IClientNetworkHost 0x5ab5b:$x2: IClientNetworkHost
7.2.JMG Memo-Circular No 018-21.PDF.exe.3db8a30.13.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.JMG Memo-Circular No 018-21.PDF.exe.42b6020.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xbe5ad:$x1: NanoCore.ClientPluginHost 0xbe5ea:$x2: IClientNetworkHost 0xc211d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.JMG Memo-Circular No 018-21.PDF.exe.3db8a30.13.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf763:$a: NanoCore 0xf778:$a: NanoCore 0xf7ad:$a: NanoCore 0x1d3c2:$a: NanoCore 0x1d3e7:$a: NanoCore 0x1d440:$a: NanoCore 0x2d5dd:$a: NanoCore 0x2d603:$a: NanoCore 0x2d65f:$a: NanoCore 0x3a4b4:$a: NanoCore 0x3a50d:$a: NanoCore 0x3a540:$a: NanoCore 0x3a76c:$a: NanoCore 0x3a7e8:$a: NanoCore 0x3ae01:$a: NanoCore 0x3af4a:$a: NanoCore 0x3b41e:$a: NanoCore 0x3b705:$a: NanoCore 0x3b71c:$a: NanoCore 0x3eaa5:$a: NanoCore 0x3fe5f:$a: NanoCore
0.2.JMG Memo-Circular No 018-21.PDF.exe.42b6020.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.JMG Memo-Circular No 018-21.PDF.exe.42b6020.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xbe315:$a: NanoCore 0xbe325:$a: NanoCore 0xbe559:$a: NanoCore 0xbe56d:$a: NanoCore 0xbe5ad:$a: NanoCore 0xbe374:$b: ClientPlugin 0xbe576:$b: ClientPlugin 0xbe5b6:$b: ClientPlugin 0xbe49b:$c: ProjectData 0xbeea2:$d: DESCrypto 0xc686e:$e: KeepAlive 0xc485c:$g: LogClientMessage 0xc0a57:$i: get_Connected 0xbf1d8:$j: #=q 0xbf208:$j: #=q 0xbf224:$j: #=q 0xbf254:$j: #=q 0xbf270:$j: #=q 0xbf28c:$j: #=q 0xbf2bc:$j: #=q 0xbf2d8:$j: #=q
Click to see the 157 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe, ProcessId: 6628, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GmaLrlDR' /XML 'C:\Users\user\AppData\Local\Temp\tmp1B75.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GmaLrlDR' /XML 'C:\Users\user\AppData\Local\Temp\tmp1B75.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe' , ParentImage: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe, ParentProcessId: 3540, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GmaLrlDR' /XML 'C:\Users\user\AppData\Local\Temp\tmp1B75.tmp', ProcessId: 6568

Sigma detected: Suspicious Double Extension

Show sources

Source: Process started

Author: Florian Roth (rule), @blu3_team (idea): Data: Command: {path}, CommandLine: {path}, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe, NewProcessName: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe, OriginalFileName: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe, ParentCommandLine: 'C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe' , ParentImage: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe, ParentProcessId: 3540, ProcessCommandLine: {path}, ProcessId: 6628

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000007.00000002.496443867.0000000003BE1000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "c4cca249-81f6-4232-9f14-01569e09f5f0", "Group": "JANUARY", "Domain1": "shahzad73.casacam.net", "Domain2": "shahzad73.ddns.net", "Port": 9036, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\GmaLrlDR.exe

ReversingLabs: Detection: 12%

Multi AV Scanner detection for submitted file

Show sources

Source: JMG Memo-Circular No 018-21.PDF.exe

ReversingLabs: Detection: 12%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000007.00000002.496443867.0000000003BE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.280456931.00000000041C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.498042432.0000000005230000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.366475568.0000000003151000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.352208720.0000000003E79000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.496714685.0000000003DA4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.488093735.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.492154123.0000000002B91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.366560257.0000000004159000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.365338773.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JMG Memo-Circular No 018-21.PDF.exe PID: 3540, type: MEMORY
Source: Yara match	File source: Process Memory Space: JMG Memo-Circular No 018-21.PDF.exe PID: 6376, type: MEMORY
Source: Yara match	File source: Process Memory Space: JMG Memo-Circular No 018-21.PDF.exe PID: 6628, type: MEMORY
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3bf9618.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.5230000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.JMG Memo-Circular No 018-21.PDF.exe.3f33400.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.5230000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.JMG Memo-Circular No 018-21.PDF.exe.41a4c4d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.JMG Memo-Circular No 018-21.PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.JMG Memo-Circular No 018-21.PDF.exe.3f33400.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3be4c4d.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3db8a30.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.JMG Memo-Circular No 018-21.PDF.exe.41a0624.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.JMG Memo-Circular No 018-21.PDF.exe.41a0624.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.5234629.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JMG Memo-Circular No 018-21.PDF.exe.4283400.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3bf9618.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JMG Memo-Circular No 018-21.PDF.exe.4283400.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3bfdc41.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.JMG Memo-Circular No 018-21.PDF.exe.419b7ee.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3da57cc.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3db3bfa.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3db8a30.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JMG Memo-Circular No 018-21.PDF.exe.42b6020.1.raw.unpack, type: UNPACKEDPE

Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.5230000.20.unpack	Avira: Label: TR/NanoCore.fadte
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 19.2.JMG Memo-Circular No 018-21.PDF.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3bf9618.11.unpack	Avira: Label: TR/NanoCore.fadte

Compliance:

Uses 32bit PE files

Show sources

Source: JMG Memo-Circular No 018-21.PDF.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: JMG Memo-Circular No 018-21.PDF.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.492270047.0000000002BFD000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.492270047.0000000002BFD000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.492270047.0000000002BFD000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.492270047.0000000002BFD000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.501005046.0000000006DD0000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.492270047.0000000002BFD000.00000004.00000001.sdmp

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49718 -> 91.212.153.84:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49719 -> 91.212.153.84:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49720 -> 91.212.153.84:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49722 -> 91.212.153.84:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49727 -> 91.212.153.84:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49728 -> 91.212.153.84:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49734 -> 91.212.153.84:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49735 -> 91.212.153.84:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49736 -> 91.212.153.84:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49737 -> 91.212.153.84:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49739 -> 91.212.153.84:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49740 -> 91.212.153.84:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49741 -> 91.212.153.84:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49742 -> 91.212.153.84:9036

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: shahzad73.ddns.net
Source: Malware configuration extractor	URLs: shahzad73.casacam.net

Source: global traffic

TCP traffic: 192.168.2.5:49718 -> 91.212.153.84:9036

Source: Joe Sandbox View

IP Address: 91.212.153.84 91.212.153.84

Source: Joe Sandbox View

ASN Name: MYLOC-ASIPBackboneofmyLocmanagedITAGDE MYLOC-ASIPBackboneofmyLocmanagedITAGDE

Source: unknown

DNS traffic detected: queries for: shahzad73.casacam.net

Source: JMG Memo-Circular No 018-21.PDF.exe	String found in binary or memory: http://code.google.com/feeds/p/topicalmemorysystem/downloads/basic.xml
Source: JMG Memo-Circular No 018-21.PDF.exe	String found in binary or memory: http://code.google.com/p/topicalmemorysystem/
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.501005046.0000000006DD0000.00000004.00000001.sdmp	String found in binary or memory: http://google.com
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.278347739.00000000031C1000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.349609477.0000000002E71000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: JMG Memo-Circular No 018-21.PDF.exe	String found in binary or memory: http://topicalmemorysystem.googlecode.com/files/
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: JMG Memo-Circular No 018-21.PDF.exe	String found in binary or memory: http://www.biblegateway.com/passage/?search=
Source: JMG Memo-Circular No 018-21.PDF.exe	String found in binary or memory: http://www.biblija.net/biblija.cgi?m=
Source: JMG Memo-Circular No 018-21.PDF.exe	String found in binary or memory: http://www.blueletterbible.org/Bible.cfm?b=
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000003.232454691.000000000628D000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000003.232454691.000000000628D000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comB
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: JMG Memo-Circular No 018-21.PDF.exe	String found in binary or memory: http://www.esvstudybible.org/search?q=
Source: JMG Memo-Circular No 018-21.PDF.exe	String found in binary or memory: http://www.esvstudybible.org/search?q=Whttp://www.blueletterbible.org/Bible.cfm?b=
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000003.227574315.0000000006288000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000003.227574315.0000000006288000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn(
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000003.227574315.0000000006288000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnB
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000003.232848694.000000000628D000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000003.232837315.0000000006285000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.B
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000003.233327903.000000000628B000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.l
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000003.225859456.000000000629B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.coma
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000003.225859456.000000000629B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.come
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000003.225859456.000000000629B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.coms-e
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000003.227665199.0000000006288000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comq
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.278139983.000000000169B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.496443867.0000000003BE1000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000007.00000002.496443867.0000000003BE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.280456931.00000000041C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.498042432.0000000005230000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.366475568.0000000003151000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.352208720.0000000003E79000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.496714685.0000000003DA4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.488093735.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.492154123.0000000002B91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.366560257.0000000004159000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.365338773.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JMG Memo-Circular No 018-21.PDF.exe PID: 3540, type: MEMORY
Source: Yara match	File source: Process Memory Space: JMG Memo-Circular No 018-21.PDF.exe PID: 6376, type: MEMORY
Source: Yara match	File source: Process Memory Space: JMG Memo-Circular No 018-21.PDF.exe PID: 6628, type: MEMORY
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3bf9618.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.5230000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.JMG Memo-Circular No 018-21.PDF.exe.3f33400.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.5230000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.JMG Memo-Circular No 018-21.PDF.exe.41a4c4d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.JMG Memo-Circular No 018-21.PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.JMG Memo-Circular No 018-21.PDF.exe.3f33400.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3be4c4d.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3db8a30.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.JMG Memo-Circular No 018-21.PDF.exe.41a0624.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.JMG Memo-Circular No 018-21.PDF.exe.41a0624.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.5234629.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JMG Memo-Circular No 018-21.PDF.exe.4283400.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3bf9618.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JMG Memo-Circular No 018-21.PDF.exe.4283400.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3bfdc41.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.JMG Memo-Circular No 018-21.PDF.exe.419b7ee.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3da57cc.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3db3bfa.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3db8a30.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JMG Memo-Circular No 018-21.PDF.exe.42b6020.1.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000007.00000002.501005046.0000000006DD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.498456853.0000000005380000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.501098807.0000000006E10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.492270047.0000000002BFD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.496807047.0000000003E81000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.500985326.0000000006DC0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.501114313.0000000006E20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.500970500.0000000006DB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.500950111.0000000006DA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.500819703.0000000006BF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.501154629.0000000006E60000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.501030742.0000000006DE0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.280456931.00000000041C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.280456931.00000000041C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.500935667.0000000006D90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.498042432.0000000005230000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.366475568.0000000003151000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.352208720.0000000003E79000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.352208720.0000000003E79000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.496714685.0000000003DA4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.488093735.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.488093735.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.501047468.0000000006DF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.366560257.0000000004159000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.497599353.0000000005170000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.365338773.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.365338773.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: JMG Memo-Circular No 018-21.PDF.exe PID: 3540, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: JMG Memo-Circular No 018-21.PDF.exe PID: 3540, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: JMG Memo-Circular No 018-21.PDF.exe PID: 6376, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: JMG Memo-Circular No 018-21.PDF.exe PID: 6376, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: JMG Memo-Circular No 018-21.PDF.exe PID: 6628, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: JMG Memo-Circular No 018-21.PDF.exe PID: 6628, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6de0000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3ef4a1e.17.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6e60000.37.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3bf9618.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6d90000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.2c185a8.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3b99930.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.5230000.20.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6e20000.34.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6da0000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6bf0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3b99930.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3ef4a1e.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3edd7bf.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3edd7bf.16.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6dd0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6e2e8a4.36.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3ee65ee.15.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.JMG Memo-Circular No 018-21.PDF.exe.3f33400.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.JMG Memo-Circular No 018-21.PDF.exe.3f33400.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.5230000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.JMG Memo-Circular No 018-21.PDF.exe.41a4c4d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.JMG Memo-Circular No 018-21.PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.JMG Memo-Circular No 018-21.PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6e10000.33.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.5380000.23.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6df0000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.JMG Memo-Circular No 018-21.PDF.exe.3f33400.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 13.2.JMG Memo-Circular No 018-21.PDF.exe.3f33400.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3be4c4d.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.JMG Memo-Circular No 018-21.PDF.exe.31b9718.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.2bbcab0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3db8a30.13.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.2c2f920.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.2c43f90.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.2c43f90.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.JMG Memo-Circular No 018-21.PDF.exe.41a0624.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.JMG Memo-Circular No 018-21.PDF.exe.41a0624.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3b9e5cf.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6e24c9f.35.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6e10000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6bf0000.25.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.5234629.21.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6df0000.32.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3edd7bf.16.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6da0000.27.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.JMG Memo-Circular No 018-21.PDF.exe.4283400.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.JMG Memo-Circular No 018-21.PDF.exe.4283400.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3ee65ee.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6dd0000.30.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6db0000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6e60000.37.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3bf9618.11.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.JMG Memo-Circular No 018-21.PDF.exe.4283400.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.JMG Memo-Circular No 018-21.PDF.exe.4283400.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.5170000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3bfdc41.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6e20000.34.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6dc0000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.JMG Memo-Circular No 018-21.PDF.exe.419b7ee.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.JMG Memo-Circular No 018-21.PDF.exe.419b7ee.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6de0000.31.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.2c185a8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.2c185a8.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.5380000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6dc0000.29.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3da57cc.14.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3da57cc.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3da57cc.14.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.2c2f920.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.2c2f920.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3ba81d4.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3db3bfa.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3db3bfa.12.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3db8a30.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.JMG Memo-Circular No 018-21.PDF.exe.42b6020.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3db8a30.13.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.JMG Memo-Circular No 018-21.PDF.exe.42b6020.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: JMG Memo-Circular No 018-21.PDF.exe

Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 0_2_0307D20C
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 0_2_0307F2C0
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 0_2_0307F2D0
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 0_2_097A6010
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 0_2_097A7948
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 0_2_097A0040
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 0_2_097A0012
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 0_2_097A1D7D
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 7_2_06E73898
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 7_2_06E642EB
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 7_2_06E646D3
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 7_2_06E63324
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 7_2_02A4E480
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 7_2_02A4E471
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 7_2_02A4BBD4
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 13_2_013CD20C
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 13_2_013CF2D0
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 13_2_013CF2C3
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 13_2_07396010
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 13_2_07391D7D
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 13_2_07397948
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 13_2_07390007
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 13_2_07390040
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 19_2_0182E480
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 19_2_0182E471
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 19_2_0182BBD4
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 19_2_05733E30
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 19_2_05734A50
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 19_2_05734B08

Source: JMG Memo-Circular No 018-21.PDF.exe	Binary or memory string: OriginalFilename vs JMG Memo-Circular No 018-21.PDF.exe
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.280456931.00000000041C9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename5o& vs JMG Memo-Circular No 018-21.PDF.exe
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.278139983.000000000169B000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs JMG Memo-Circular No 018-21.PDF.exe
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.290102585.0000000009710000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs JMG Memo-Circular No 018-21.PDF.exe
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.289718051.00000000091B0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs JMG Memo-Circular No 018-21.PDF.exe
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.290225202.0000000009770000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs JMG Memo-Circular No 018-21.PDF.exe
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.290225202.0000000009770000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs JMG Memo-Circular No 018-21.PDF.exe
Source: JMG Memo-Circular No 018-21.PDF.exe	Binary or memory string: OriginalFilename vs JMG Memo-Circular No 018-21.PDF.exe
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.501005046.0000000006DD0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs JMG Memo-Circular No 018-21.PDF.exe
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.492270047.0000000002BFD000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs JMG Memo-Circular No 018-21.PDF.exe
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.492270047.0000000002BFD000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs JMG Memo-Circular No 018-21.PDF.exe
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.492270047.0000000002BFD000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs JMG Memo-Circular No 018-21.PDF.exe
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.492270047.0000000002BFD000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs JMG Memo-Circular No 018-21.PDF.exe
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.492270047.0000000002BFD000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs JMG Memo-Circular No 018-21.PDF.exe
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.492270047.0000000002BFD000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs JMG Memo-Circular No 018-21.PDF.exe
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.492270047.0000000002BFD000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs JMG Memo-Circular No 018-21.PDF.exe
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.492270047.0000000002BFD000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs JMG Memo-Circular No 018-21.PDF.exe
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.492270047.0000000002BFD000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs JMG Memo-Circular No 018-21.PDF.exe
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.492270047.0000000002BFD000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs JMG Memo-Circular No 018-21.PDF.exe
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.496807047.0000000003E81000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs JMG Memo-Circular No 018-21.PDF.exe
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.496807047.0000000003E81000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs JMG Memo-Circular No 018-21.PDF.exe
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.496807047.0000000003E81000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs JMG Memo-Circular No 018-21.PDF.exe
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.496443867.0000000003BE1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs JMG Memo-Circular No 018-21.PDF.exe
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.496443867.0000000003BE1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs JMG Memo-Circular No 018-21.PDF.exe
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.488524867.0000000000712000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename5o& vs JMG Memo-Circular No 018-21.PDF.exe
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.496714685.0000000003DA4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs JMG Memo-Circular No 018-21.PDF.exe
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.497526410.0000000005130000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs JMG Memo-Circular No 018-21.PDF.exe
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.501255794.0000000007080000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs JMG Memo-Circular No 018-21.PDF.exe
Source: JMG Memo-Circular No 018-21.PDF.exe	Binary or memory string: OriginalFilename vs JMG Memo-Circular No 018-21.PDF.exe
Source: JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.358012947.0000000006EF0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs JMG Memo-Circular No 018-21.PDF.exe
Source: JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.347449069.0000000000872000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename5o& vs JMG Memo-Circular No 018-21.PDF.exe
Source: JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.359947823.0000000008DC0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs JMG Memo-Circular No 018-21.PDF.exe
Source: JMG Memo-Circular No 018-21.PDF.exe	Binary or memory string: OriginalFilename vs JMG Memo-Circular No 018-21.PDF.exe
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000013.00000002.365392863.0000000000D62000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename5o& vs JMG Memo-Circular No 018-21.PDF.exe
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000013.00000002.367544946.00000000056F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs JMG Memo-Circular No 018-21.PDF.exe
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000013.00000002.366475568.0000000003151000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs JMG Memo-Circular No 018-21.PDF.exe
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000013.00000002.366475568.0000000003151000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs JMG Memo-Circular No 018-21.PDF.exe
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000013.00000002.366560257.0000000004159000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs JMG Memo-Circular No 018-21.PDF.exe
Source: JMG Memo-Circular No 018-21.PDF.exe	Binary or memory string: OriginalFilename5o& vs JMG Memo-Circular No 018-21.PDF.exe

Source: JMG Memo-Circular No 018-21.PDF.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000007.00000002.501005046.0000000006DD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.501005046.0000000006DD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.498456853.0000000005380000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.498456853.0000000005380000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.501098807.0000000006E10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.501098807.0000000006E10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.492270047.0000000002BFD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.496807047.0000000003E81000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.500985326.0000000006DC0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.500985326.0000000006DC0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.501114313.0000000006E20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.501114313.0000000006E20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.500970500.0000000006DB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.500970500.0000000006DB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.500950111.0000000006DA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.500950111.0000000006DA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.500819703.0000000006BF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.500819703.0000000006BF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.501154629.0000000006E60000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.501154629.0000000006E60000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.501030742.0000000006DE0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.501030742.0000000006DE0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.280456931.00000000041C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.280456931.00000000041C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.500935667.0000000006D90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.500935667.0000000006D90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.498042432.0000000005230000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.498042432.0000000005230000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000002.366475568.0000000003151000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000D.00000002.352208720.0000000003E79000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000D.00000002.352208720.0000000003E79000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.496714685.0000000003DA4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.488093735.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.488093735.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.501047468.0000000006DF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.501047468.0000000006DF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000002.366560257.0000000004159000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.497599353.0000000005170000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.497599353.0000000005170000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000002.365338773.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000002.365338773.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: JMG Memo-Circular No 018-21.PDF.exe PID: 3540, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: JMG Memo-Circular No 018-21.PDF.exe PID: 3540, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: JMG Memo-Circular No 018-21.PDF.exe PID: 6376, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: JMG Memo-Circular No 018-21.PDF.exe PID: 6376, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: JMG Memo-Circular No 018-21.PDF.exe PID: 6628, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: JMG Memo-Circular No 018-21.PDF.exe PID: 6628, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6de0000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6de0000.31.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3ef4a1e.17.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3ef4a1e.17.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6e60000.37.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6e60000.37.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3bf9618.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3bf9618.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6d90000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6d90000.26.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.2c185a8.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.2c185a8.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3b99930.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3b99930.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.5230000.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.5230000.20.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6e20000.34.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6e20000.34.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6da0000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6da0000.27.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6bf0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6bf0000.25.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3b99930.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3b99930.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3ef4a1e.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3ef4a1e.17.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3edd7bf.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3edd7bf.16.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3edd7bf.16.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6dd0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6dd0000.30.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6e2e8a4.36.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6e2e8a4.36.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3ee65ee.15.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3ee65ee.15.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.JMG Memo-Circular No 018-21.PDF.exe.3f33400.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.JMG Memo-Circular No 018-21.PDF.exe.3f33400.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.JMG Memo-Circular No 018-21.PDF.exe.3f33400.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.5230000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.5230000.20.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.JMG Memo-Circular No 018-21.PDF.exe.41a4c4d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.JMG Memo-Circular No 018-21.PDF.exe.41a4c4d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.JMG Memo-Circular No 018-21.PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.JMG Memo-Circular No 018-21.PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.JMG Memo-Circular No 018-21.PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6e10000.33.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6e10000.33.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.5380000.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.5380000.23.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6df0000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6df0000.32.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.JMG Memo-Circular No 018-21.PDF.exe.3f33400.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 13.2.JMG Memo-Circular No 018-21.PDF.exe.3f33400.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 13.2.JMG Memo-Circular No 018-21.PDF.exe.3f33400.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3be4c4d.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3be4c4d.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.JMG Memo-Circular No 018-21.PDF.exe.31b9718.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.JMG Memo-Circular No 018-21.PDF.exe.31b9718.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.2bbcab0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.2bbcab0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3db8a30.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3db8a30.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.2c2f920.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.2c2f920.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.2c43f90.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.2c43f90.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.2c43f90.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.JMG Memo-Circular No 018-21.PDF.exe.41a0624.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.JMG Memo-Circular No 018-21.PDF.exe.41a0624.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.JMG Memo-Circular No 018-21.PDF.exe.41a0624.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.JMG Memo-Circular No 018-21.PDF.exe.41a0624.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3b9e5cf.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3b9e5cf.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6e24c9f.35.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6e24c9f.35.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6e10000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6e10000.33.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6bf0000.25.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6bf0000.25.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.5234629.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.5234629.21.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6df0000.32.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6df0000.32.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3edd7bf.16.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3edd7bf.16.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6da0000.27.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6da0000.27.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.JMG Memo-Circular No 018-21.PDF.exe.4283400.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.JMG Memo-Circular No 018-21.PDF.exe.4283400.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.JMG Memo-Circular No 018-21.PDF.exe.4283400.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3ee65ee.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3ee65ee.15.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6dd0000.30.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6dd0000.30.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6db0000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6db0000.28.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6e60000.37.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6e60000.37.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3bf9618.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3bf9618.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.JMG Memo-Circular No 018-21.PDF.exe.4283400.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.JMG Memo-Circular No 018-21.PDF.exe.4283400.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.5170000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.5170000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3bfdc41.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3bfdc41.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6e20000.34.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6e20000.34.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6dc0000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6dc0000.29.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.JMG Memo-Circular No 018-21.PDF.exe.419b7ee.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.JMG Memo-Circular No 018-21.PDF.exe.419b7ee.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.JMG Memo-Circular No 018-21.PDF.exe.419b7ee.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6de0000.31.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6de0000.31.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.2c185a8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.2c185a8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.2c185a8.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.5380000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.5380000.23.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6dc0000.29.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.6dc0000.29.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3da57cc.14.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3da57cc.14.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3da57cc.14.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3da57cc.14.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.2c2f920.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.2c2f920.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.2c2f920.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3ba81d4.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3ba81d4.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3db3bfa.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3db3bfa.12.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3db8a30.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.JMG Memo-Circular No 018-21.PDF.exe.42b6020.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3db8a30.13.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.JMG Memo-Circular No 018-21.PDF.exe.42b6020.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@15/10@15/2

Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe

File created: C:\Users\user\AppData\Roaming\GmaLrlDR.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6576:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6888:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5716:120:WilError_01
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Mutant created: \Sessions\1\BaseNamedObjects\QeEchgPSOU
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{c4cca249-81f6-4232-9f14-01569e09f5f0}

Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe

File created: C:\Users\user\AppData\Local\Temp\tmp1B75.tmp

Jump to behavior

Source: JMG Memo-Circular No 018-21.PDF.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: JMG Memo-Circular No 018-21.PDF.exe

ReversingLabs: Detection: 12%

Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe

File read: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe 'C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GmaLrlDR' /XML 'C:\Users\user\AppData\Local\Temp\tmp1B75.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe {path}
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpC90F.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe 'C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe' 0
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GmaLrlDR' /XML 'C:\Users\user\AppData\Local\Temp\tmp8F7C.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe {path}
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GmaLrlDR' /XML 'C:\Users\user\AppData\Local\Temp\tmp1B75.tmp'
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process created: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe {path}
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpC90F.tmp'
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GmaLrlDR' /XML 'C:\Users\user\AppData\Local\Temp\tmp8F7C.tmp'
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process created: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe {path}

Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: JMG Memo-Circular No 018-21.PDF.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: JMG Memo-Circular No 018-21.PDF.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.492270047.0000000002BFD000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.492270047.0000000002BFD000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.492270047.0000000002BFD000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.492270047.0000000002BFD000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.501005046.0000000006DD0000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.492270047.0000000002BFD000.00000004.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 0_2_09AE3DB7 push FFFFFF8Bh; iretd
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 13_2_013C4121 push ecx; retf
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 13_2_013C4123 push ecx; retf
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 13_2_013C41E1 push esp; retf
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 13_2_013C41E3 push esp; retf
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 13_2_013C42D7 push edi; retf
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 13_2_013C42D3 push esi; retf
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 13_2_013C4513 push edi; retf
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 13_2_013C4491 push edi; retf
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 13_2_013C4493 push edi; retf
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 13_2_05351598 push eax; mov dword ptr [esp], ecx
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 13_2_07183DD5 push FFFFFF8Bh; iretd
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 13_2_071811B8 push cs; ret
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 13_2_073999E3 push 8BF08B66h; retf
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Code function: 19_2_05736E5D push FFFFFF8Bh; iretd

Source: initial sample	Static PE information: section name: .text entropy: 6.85708013981
Source: initial sample	Static PE information: section name: .text entropy: 6.85708013981

Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe

File created: C:\Users\user\AppData\Roaming\GmaLrlDR.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GmaLrlDR' /XML 'C:\Users\user\AppData\Local\Temp\tmp1B75.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe

File opened: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe:Zone.Identifier read attributes | delete

Uses an obfuscated file name to hide its real file extension (double extension)

Show sources

Source: Possible double extension: pdf.exe

Static PE information: JMG Memo-Circular No 018-21.PDF.exe

Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Window / User API: threadDelayed 7797
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Window / User API: threadDelayed 1288
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Window / User API: foregroundWindowGot 588
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Window / User API: foregroundWindowGot 687

Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe TID: 3060	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe TID: 6716	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe TID: 7040	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe TID: 7108	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe TID: 6428	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe TID: 6444	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.501255794.0000000007080000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.501255794.0000000007080000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.501255794.0000000007080000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.501255794.0000000007080000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe

Process information queried: ProcessInformation

Anti Debugging:

Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Memory written: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Memory written: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GmaLrlDR' /XML 'C:\Users\user\AppData\Local\Temp\tmp1B75.tmp'
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process created: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe {path}
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpC90F.tmp'
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GmaLrlDR' /XML 'C:\Users\user\AppData\Local\Temp\tmp8F7C.tmp'
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Process created: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe {path}

Source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.493176991.0000000002D05000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.491171992.0000000001410000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.491171992.0000000001410000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.491171992.0000000001410000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.501419232.00000000073EB000.00000004.00000001.sdmp	Binary or memory string: Program Managerram Manager
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.492270047.0000000002BFD000.00000004.00000001.sdmp	Binary or memory string: Program Managerx
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.491171992.0000000001410000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.491171992.0000000001410000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.492270047.0000000002BFD000.00000004.00000001.sdmp	Binary or memory string: Program Managert
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.501553444.0000000007BAB000.00000004.00000001.sdmp	Binary or memory string: Program Manager 8

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe

Code function: 7_2_06E730B0 GetSystemTimes,

Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings:

Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000007.00000002.496443867.0000000003BE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.280456931.00000000041C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.498042432.0000000005230000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.366475568.0000000003151000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.352208720.0000000003E79000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.496714685.0000000003DA4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.488093735.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.492154123.0000000002B91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.366560257.0000000004159000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.365338773.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JMG Memo-Circular No 018-21.PDF.exe PID: 3540, type: MEMORY
Source: Yara match	File source: Process Memory Space: JMG Memo-Circular No 018-21.PDF.exe PID: 6376, type: MEMORY
Source: Yara match	File source: Process Memory Space: JMG Memo-Circular No 018-21.PDF.exe PID: 6628, type: MEMORY
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3bf9618.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.5230000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.JMG Memo-Circular No 018-21.PDF.exe.3f33400.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.5230000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.JMG Memo-Circular No 018-21.PDF.exe.41a4c4d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.JMG Memo-Circular No 018-21.PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.JMG Memo-Circular No 018-21.PDF.exe.3f33400.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3be4c4d.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3db8a30.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.JMG Memo-Circular No 018-21.PDF.exe.41a0624.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.JMG Memo-Circular No 018-21.PDF.exe.41a0624.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.5234629.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JMG Memo-Circular No 018-21.PDF.exe.4283400.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3bf9618.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JMG Memo-Circular No 018-21.PDF.exe.4283400.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3bfdc41.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.JMG Memo-Circular No 018-21.PDF.exe.419b7ee.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3da57cc.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3db3bfa.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3db8a30.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JMG Memo-Circular No 018-21.PDF.exe.42b6020.1.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.280456931.00000000041C9000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: JMG Memo-Circular No 018-21.PDF.exe	String found in binary or memory: NanoCore.ClientPluginHost
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.492270047.0000000002BFD000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.492270047.0000000002BFD000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.492270047.0000000002BFD000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.492270047.0000000002BFD000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000007.00000002.496714685.0000000003DA4000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000013.00000002.366475568.0000000003151000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: JMG Memo-Circular No 018-21.PDF.exe, 00000013.00000002.366475568.0000000003151000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000007.00000002.496443867.0000000003BE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.280456931.00000000041C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.498042432.0000000005230000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.366475568.0000000003151000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.352208720.0000000003E79000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.496714685.0000000003DA4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.488093735.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.492154123.0000000002B91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.366560257.0000000004159000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.365338773.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JMG Memo-Circular No 018-21.PDF.exe PID: 3540, type: MEMORY
Source: Yara match	File source: Process Memory Space: JMG Memo-Circular No 018-21.PDF.exe PID: 6376, type: MEMORY
Source: Yara match	File source: Process Memory Space: JMG Memo-Circular No 018-21.PDF.exe PID: 6628, type: MEMORY
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3bf9618.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.5230000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.JMG Memo-Circular No 018-21.PDF.exe.3f33400.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.5230000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.JMG Memo-Circular No 018-21.PDF.exe.41a4c4d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.JMG Memo-Circular No 018-21.PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.JMG Memo-Circular No 018-21.PDF.exe.3f33400.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3be4c4d.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3db8a30.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.JMG Memo-Circular No 018-21.PDF.exe.41a0624.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.JMG Memo-Circular No 018-21.PDF.exe.41a0624.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.5234629.21.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JMG Memo-Circular No 018-21.PDF.exe.4283400.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3bf9618.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JMG Memo-Circular No 018-21.PDF.exe.4283400.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3bfdc41.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.JMG Memo-Circular No 018-21.PDF.exe.419b7ee.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3da57cc.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3db3bfa.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.JMG Memo-Circular No 018-21.PDF.exe.3db8a30.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JMG Memo-Circular No 018-21.PDF.exe.42b6020.1.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Scheduled Task/Job1	Process Injection112	Masquerading11	Input Capture21	System Time Discovery1	Remote Services	Input Capture21	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Virtualization/Sandbox Evasion3	LSASS Memory	Query Registry1	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools1	Security Account Manager	Security Software Discovery121	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection112	NTDS	Virtualization/Sandbox Evasion3	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Process Discovery2	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol11	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Files and Directories1	Cached Domain Credentials	Application Window Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information12	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing12	Proc Filesystem	System Information Discovery13	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
JMG Memo-Circular No 018-21.PDF.exe	12%	ReversingLabs	ByteCode-MSIL.Trojan.Pwsx

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\GmaLrlDR.exe	12%	ReversingLabs	ByteCode-MSIL.Trojan.Pwsx

Unpacked PE Files

Source	Detection	Scanner	Label	Download
7.2.JMG Memo-Circular No 018-21.PDF.exe.5230000.20.unpack	100%	Avira	TR/NanoCore.fadte	Download File
13.2.JMG Memo-Circular No 018-21.PDF.exe.43de1b8.2.unpack	100%	Avira	HEUR/AGEN.1110362	Download File
7.2.JMG Memo-Circular No 018-21.PDF.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
19.2.JMG Memo-Circular No 018-21.PDF.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
7.2.JMG Memo-Circular No 018-21.PDF.exe.3bf9618.11.unpack	100%	Avira	TR/NanoCore.fadte	Download File
0.2.JMG Memo-Circular No 018-21.PDF.exe.472e1b8.3.unpack	100%	Avira	HEUR/AGEN.1110362	Download File

Domains

Source	Detection	Scanner	Label	Link
shahzad73.casacam.net	5%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
shahzad73.ddns.net	1%	Virustotal		Browse
shahzad73.ddns.net	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.comq	0%	Avira URL Cloud	safe
http://www.esvstudybible.org/search?q=	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.esvstudybible.org/search?q=Whttp://www.blueletterbible.org/Bible.cfm?b=	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://topicalmemorysystem.googlecode.com/files/	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cnB	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.carterandcone.comB	0%	Avira URL Cloud	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.monotype.	0%	URL Reputation	safe
http://www.monotype.	0%	URL Reputation	safe
http://www.monotype.	0%	URL Reputation	safe
http://www.monotype.l	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.monotype.B	0%	Avira URL Cloud	safe
http://www.sajatypeworks.coma	0%	URL Reputation	safe
http://www.sajatypeworks.coma	0%	URL Reputation	safe
http://www.sajatypeworks.coma	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sajatypeworks.come	0%	URL Reputation	safe
http://www.sajatypeworks.come	0%	URL Reputation	safe
http://www.sajatypeworks.come	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn(	0%	Avira URL Cloud	safe
http://www.sajatypeworks.coms-e	0%	Avira URL Cloud	safe
shahzad73.casacam.net	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
shahzad73.casacam.net	91.212.153.84	true	true	5%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
shahzad73.ddns.net	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
shahzad73.casacam.net	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	false		high
http://www.biblegateway.com/passage/?search=	JMG Memo-Circular No 018-21.PDF.exe	false		high
http://www.tiro.comq	JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000003.227665199.0000000006288000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.esvstudybible.org/search?q=	JMG Memo-Circular No 018-21.PDF.exe	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.esvstudybible.org/search?q=Whttp://www.blueletterbible.org/Bible.cfm?b=	JMG Memo-Circular No 018-21.PDF.exe	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.com	JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000003.232454691.000000000628D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://topicalmemorysystem.googlecode.com/files/	JMG Memo-Circular No 018-21.PDF.exe	false	Avira URL Cloud: safe	unknown
http://www.biblija.net/biblija.cgi?m=	JMG Memo-Circular No 018-21.PDF.exe	false		high
http://www.founder.com.cn/cnB	JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000003.227574315.0000000006288000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comB	JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000003.232454691.000000000628D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.typography.netD	JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000003.227574315.0000000006288000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	false		high
http://www.monotype.	JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000003.232848694.000000000628D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.monotype.l	JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000003.233327903.000000000628B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.blueletterbible.org/Bible.cfm?b=	JMG Memo-Circular No 018-21.PDF.exe	false		high
http://www.jiyu-kobo.co.jp/	JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	false		high
http://www.fonts.com	JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.monotype.B	JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000003.232837315.0000000006285000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.coma	JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000003.225859456.000000000629B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.278347739.00000000031C1000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.349609477.0000000002E71000.00000004.00000001.sdmp	false		high
http://www.sajatypeworks.come	JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000003.225859456.000000000629B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000002.286703897.0000000007492000.00000004.00000001.sdmp, JMG Memo-Circular No 018-21.PDF.exe, 0000000D.00000002.357332280.0000000005DF0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn(	JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000003.227574315.0000000006288000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.coms-e	JMG Memo-Circular No 018-21.PDF.exe, 00000000.00000003.225859456.000000000629B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.212.153.84	unknown	unknown		24961	MYLOC-ASIPBackboneofmyLocmanagedITAGDE	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	356480
Start date:	23.02.2021
Start time:	08:39:03
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 51s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	JMG Memo-Circular No 018-21.PDF.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@15/10@15/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 0% (good quality ratio 0%) Quality average: 100% Quality standard deviation: 0%
HCA Information:	Successful, ratio: 91% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. TCP Packets have been reduced to 100 Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 52.147.198.201, 131.253.33.200, 13.107.22.200, 13.64.90.137, 92.122.145.220, 40.88.32.150, 13.88.21.125, 52.255.188.83, 23.218.208.56, 51.103.5.159, 2.20.142.209, 2.20.142.210, 51.104.139.180, 92.122.213.194, 92.122.213.247, 51.11.168.160, 20.54.26.129 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, vip1-par02p.wns.notify.trafficmanager.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, wns.notify.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcoleus16.cloudapp.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:39:59	API Interceptor	767x Sleep call for process: JMG Memo-Circular No 018-21.PDF.exe modified
08:40:20	Task Scheduler	Run new task: DHCP Monitor path: "C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe" s>$(Arg0)

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
91.212.153.84	LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Get hash	malicious	Browse
	POEA ADVISORY ON DELISTED AGENCIES.PDF.exe	Get hash	malicious	Browse
	Swift copy_BILLING INVOICE.pdf.exe	Get hash	malicious	Browse
	POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Get hash	malicious	Browse
	POEA ADVISORY NO 450 2021.pdf.exe	Get hash	malicious	Browse
	POEA DELISTED AGENCIES (BATCH A).PDF.exe	Get hash	malicious	Browse
	POEA MEMORANDUM N0 056.exe	Get hash	malicious	Browse
	Protected.exe	Get hash	malicious	Browse
	Protected.2.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
shahzad73.casacam.net	LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Get hash	malicious	Browse	91.212.153.84
	POEA ADVISORY ON DELISTED AGENCIES.PDF.exe	Get hash	malicious	Browse	91.212.153.84
	Swift copy_BILLING INVOICE.pdf.exe	Get hash	malicious	Browse	91.212.153.84
	POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Get hash	malicious	Browse	91.212.153.84
	POEA ADVISORY NO 450 2021.pdf.exe	Get hash	malicious	Browse	91.212.153.84
	POEA DELISTED AGENCIES (BATCH A).PDF.exe	Get hash	malicious	Browse	91.212.153.84
	POEA MEMORANDUM N0 056.exe	Get hash	malicious	Browse	91.212.153.84
	Protected.exe	Get hash	malicious	Browse	91.212.153.84
	Protected.2.exe	Get hash	malicious	Browse	91.212.153.84

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
MYLOC-ASIPBackboneofmyLocmanagedITAGDE	LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Get hash	malicious	Browse	91.212.153.84
	POEA ADVISORY ON DELISTED AGENCIES.PDF.exe	Get hash	malicious	Browse	91.212.153.84
	Swift copy_BILLING INVOICE.pdf.exe	Get hash	malicious	Browse	91.212.153.84
	POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Get hash	malicious	Browse	91.212.153.84
	POEA ADVISORY NO 450 2021.pdf.exe	Get hash	malicious	Browse	91.212.153.84
	POEA DELISTED AGENCIES (BATCH A).PDF.exe	Get hash	malicious	Browse	91.212.153.84
	POEA MEMORANDUM N0 056.exe	Get hash	malicious	Browse	91.212.153.84
	Swift_Payment_jpeg.exe	Get hash	malicious	Browse	62.141.37.17
	Protected.exe	Get hash	malicious	Browse	91.212.153.84
	Protected.2.exe	Get hash	malicious	Browse	91.212.153.84
	FickerStealer.exe	Get hash	malicious	Browse	89.163.225.172
	Documentaci#U00f3n.doc	Get hash	malicious	Browse	89.163.210.141
	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.exe	Get hash	malicious	Browse	89.163.140.102
	TaskAudio Driver.exe	Get hash	malicious	Browse	193.111.198.220
	Z8363664.doc	Get hash	malicious	Browse	89.163.210.141
	OhGodAnETHlargementPill2.exe	Get hash	malicious	Browse	193.111.198.220
	godflex-r2.exe	Get hash	malicious	Browse	193.111.198.220
	PolarisBiosEditor-master.exe	Get hash	malicious	Browse	193.111.198.220
	NKsplucdAu.exe	Get hash	malicious	Browse	85.114.134.88
	lZVNh1BPxm.exe	Get hash	malicious	Browse	85.114.134.88

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\JMG Memo-Circular No 018-21.PDF.exe.log Download File
Process:	C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Temp\tmp1B75.tmp Download File
Process:	C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1645
Entropy (8bit):	5.16503394644957
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBqtn:cbhC7ZlNQF/rydbz9I3YODOLNdq32
MD5:	E8925C09B9BB23D063EE91146E77209B
SHA1:	1072F71BEF66C046ADCC8E9AA7E80660FCF666AA
SHA-256:	4D2ED0F58CA386198F355B70090AB55CB43F4C09FFAFC188A2CBB9B08B5D50AD
SHA-512:	BA1E7B1C9EEF7D2EBF63F797AB7217EE63C59B6C6A4B994A331546D291ACAEB05FA3AB277E901D15C76C41EC08800200C3B2D9838C532E805B284DAA4B74FFF4
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t

C:\Users\user\AppData\Local\Temp\tmp8F7C.tmp Download File
Process:	C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1645
Entropy (8bit):	5.16503394644957
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBqtn:cbhC7ZlNQF/rydbz9I3YODOLNdq32
MD5:	E8925C09B9BB23D063EE91146E77209B
SHA1:	1072F71BEF66C046ADCC8E9AA7E80660FCF666AA
SHA-256:	4D2ED0F58CA386198F355B70090AB55CB43F4C09FFAFC188A2CBB9B08B5D50AD
SHA-512:	BA1E7B1C9EEF7D2EBF63F797AB7217EE63C59B6C6A4B994A331546D291ACAEB05FA3AB277E901D15C76C41EC08800200C3B2D9838C532E805B284DAA4B74FFF4
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t

C:\Users\user\AppData\Local\Temp\tmpC90F.tmp Download File
Process:	C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1322
Entropy (8bit):	5.130714996587634
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0PQxtn:cbk4oL600QydbQxIYODOLedq3SQj
MD5:	873118250D15609893AB07964F3B2366
SHA1:	87F00CD5D4F91128D2FE6ED69EFCABB87E6EDBAD
SHA-256:	43C45CFCBC19B8127ED719C7532FA1C677D2120C03755A04207E3ADE43F8BE88
SHA-512:	C9EE4356E5F62F4DFA0ABBD4BFEF76107073286E54312332BC19E92CAFC87F347DAC04D5C636C3CEDA1F315EC3D07BD291DC934259583A2686E1E786552DAF58
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe
File Type:	data
Category:	dropped
Size (bytes):	1856
Entropy (8bit):	7.089541637477408
Encrypted:	false
SSDEEP:	48:IknjhUknjhUknjhUknjhUknjhUknjhUknjhUknjhL:HjhDjhDjhDjhDjhDjhDjhDjhL
MD5:	30D23CC577A89146961915B57F408623
SHA1:	9B5709D6081D8E0A570511E6E0AAE96FA041964F
SHA-256:	E2130A72E55193D402B5F43F7F3584ECF6B423F8EC4B1B1B69AD693C7E0E5A9E
SHA-512:	2D5C5747FD04F8326C2CC1FB313925070BC01D3352AFA6C36C167B72757A15F58B6263D96BD606338DA055812E69DDB628A6E18D64DD59697C2F42D1C58CC687
Malicious:	false
Reputation:	low
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+..........~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+..........~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+..........~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+..........~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.75
Encrypted:	false
SSDEEP:	3:A9P:4
MD5:	3D84C57B91B521E65FDEE4541F112EC0
SHA1:	0D127DDC6EB4167551A63D3C27198E3FF1512618
SHA-256:	5EAE71E53B82FDBAC607F1E98BADC83B896C7615B72D1E47FA5A5518B5D2E760
SHA-512:	353A83E5354F540C99D379A015C0089B50E673869A8E395C291C21868F749AB1E1B9ED283B07500247B1DC054FD7DF0C87BA8AEF4E4AF37F77A7BA518BE71FFE
Malicious:	true
Preview:	......H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin Download File
Process:	C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	5.153055907333276
Encrypted:	false
SSDEEP:	3:9bzY6oRDT6P2bfVn1:RzWDT621
MD5:	4E5E92E2369688041CC82EF9650EDED2
SHA1:	15E44F2F3194EE232B44E9684163B6F66472C862
SHA-256:	F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
SHA-512:	1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
Malicious:	false
Preview:	9iH...}Z.4..f.~a........~.~.......3.U.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat Download File
Process:	C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe
File Type:	data
Category:	dropped
Size (bytes):	327768
Entropy (8bit):	7.999367066417797
Encrypted:	true
SSDEEP:	6144:oX44S90aTiB66x3PlZmqze1d1wI8lkWmtjJ/3Exi:LkjbU7LjGxi
MD5:	2E52F446105FBF828E63CF808B721F9C
SHA1:	5330E54F238F46DC04C1AC62B051DB4FCD7416FB
SHA-256:	2F7479AA2661BD259747BC89106031C11B3A3F79F12190E7F19F5DF65B7C15C8
SHA-512:	C08BA0E3315E2314ECBEF38722DF834C2CB8412446A9A310F41A8F83B4AC5984FCC1B26A1D8B0D58A730FDBDD885714854BDFD04DCDF7F582FC125F552D5C3CA
Malicious:	false
Preview:	pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...\|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.).....{B.[...y%...i.Q.<..xt.X..H.. ..HF7g...I.3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.\|i4...i...;O...n.?.,. ....v?.5}.OY@.dG\|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...\|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`\|.B....3.....I..o...u1..8i=.z.W..7

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat Download File
Process:	C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.846720753111607
Encrypted:	false
SSDEEP:	3:oNUWJRWv69XiKA16A:oNNJAupA0A
MD5:	255273167AB1F8F99E97AD1AD0A47F10
SHA1:	24C23E0E0627C103CA6FEF02EF506960494C4085
SHA-256:	7ED75483CB10B524E172E8DBE810B5F9871AF1DE0E1379076916E04367D9233C
SHA-512:	82817A6D63AE5247CB865723660381A9A63C05831E8EB564075134F19F0D3E2377D792A49A23C74CB18794B5305B137732E0D56E8FBD3F8834A7FE810BF6F389
Malicious:	false
Preview:	C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe

C:\Users\user\AppData\Roaming\GmaLrlDR.exe Download File
Process:	C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	714240
Entropy (8bit):	6.848207378321331
Encrypted:	false
SSDEEP:	12288:/GTEIGBl1jcqvSq5HGO9rHCrnaRsGFPY6:/4GJoGb586sGW
MD5:	F12D78AE2CE77B187E98B382BC400E6E
SHA1:	A4A09F0297221E8E3D8F510F139A10B30B9BB7E8
SHA-256:	019DCE879F64D1A5A23DE8AE1D0EAC08200954B26665232507187E7F524B4F24
SHA-512:	579431D0548682078764625D5557CA247371AD661483067A0A6F167DD2BBCC6597BF1EB38D1E6C1442FBA0C5FE4166B23EE088716669EE023ED40FD2D74D12FB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 12%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....n4`..............0.................. ........@.. .......................@............@.....................................O............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......,[..t............C.. ..............................................}.....(.......(......{....r...p~/...(....o......{....o....&..0............r...p(....&......o....&......................n..t.....o......{....o....&.....(.....~..{....o......{....o....(......0..+.........,..{.......+....,...{....o........( ......0............s!...}.........("...s#.....s$...}.....s%...}.....s%...}......{....s&...}.....s'...}.....s%...}.....s%...}.....s(...}.....{....o).....{....o)..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.848207378321331
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	JMG Memo-Circular No 018-21.PDF.exe
File size:	714240
MD5:	f12d78ae2ce77b187e98b382bc400e6e
SHA1:	a4a09f0297221e8e3d8f510f139a10b30b9bb7e8
SHA256:	019dce879f64d1a5a23de8ae1d0eac08200954b26665232507187e7f524b4f24
SHA512:	579431d0548682078764625d5557ca247371ad661483067a0a6f167dd2bbcc6597bf1eb38d1e6c1442fba0c5fe4166b23ee088716669ee023ed40fd2d74d12fb
SSDEEP:	12288:/GTEIGBl1jcqvSq5HGO9rHCrnaRsGFPY6:/4GJoGb586sGW
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....n4`..............0.................. ........@.. .......................@............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4afa12
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x60346EDF [Tue Feb 23 02:56:31 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xaf9c0	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb0000	0x5bc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xada18	0xadc00	False	0.641475101169	data	6.85708013981	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xb0000	0x5bc	0x600	False	0.427734375	data	4.17835569361	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb2000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xb0090	0x32c	data
RT_MANIFEST	0xb03cc	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2016
Assembly Version	1.0.0.0
InternalName	5owG60.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	Core.Numero
ProductVersion	1.0.0.0
FileDescription	Core.Numero
OriginalFilename	5owG60.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
02/23/21-08:40:22.477560	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49718	9036	192.168.2.5	91.212.153.84
02/23/21-08:40:31.001172	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49719	9036	192.168.2.5	91.212.153.84
02/23/21-08:40:38.101612	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49720	9036	192.168.2.5	91.212.153.84
02/23/21-08:40:44.976945	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49722	9036	192.168.2.5	91.212.153.84
02/23/21-08:40:52.211286	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49727	9036	192.168.2.5	91.212.153.84
02/23/21-08:40:59.018915	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49728	9036	192.168.2.5	91.212.153.84
02/23/21-08:41:06.599920	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49734	9036	192.168.2.5	91.212.153.84
02/23/21-08:41:15.848682	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49735	9036	192.168.2.5	91.212.153.84
02/23/21-08:41:22.701844	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49736	9036	192.168.2.5	91.212.153.84
02/23/21-08:41:29.724607	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49737	9036	192.168.2.5	91.212.153.84
02/23/21-08:41:34.259656	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49739	9036	192.168.2.5	91.212.153.84
02/23/21-08:41:40.252014	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49740	9036	192.168.2.5	91.212.153.84
02/23/21-08:41:45.641221	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49741	9036	192.168.2.5	91.212.153.84
02/23/21-08:41:53.912826	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49742	9036	192.168.2.5	91.212.153.84

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 08:40:22.306313038 CET	49718	9036	192.168.2.5	91.212.153.84
Feb 23, 2021 08:40:22.362927914 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:22.363090038 CET	49718	9036	192.168.2.5	91.212.153.84
Feb 23, 2021 08:40:22.477560043 CET	49718	9036	192.168.2.5	91.212.153.84
Feb 23, 2021 08:40:22.541064978 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:22.609545946 CET	49718	9036	192.168.2.5	91.212.153.84
Feb 23, 2021 08:40:22.663753986 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:22.713645935 CET	49718	9036	192.168.2.5	91.212.153.84
Feb 23, 2021 08:40:22.856252909 CET	49718	9036	192.168.2.5	91.212.153.84
Feb 23, 2021 08:40:22.936887980 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.001763105 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.001796007 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.001812935 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.001830101 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.002203941 CET	49718	9036	192.168.2.5	91.212.153.84
Feb 23, 2021 08:40:23.045665979 CET	49718	9036	192.168.2.5	91.212.153.84
Feb 23, 2021 08:40:23.055763006 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.055793047 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.055939913 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.055958986 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.055980921 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.055999041 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.056015968 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.056032896 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.056036949 CET	49718	9036	192.168.2.5	91.212.153.84
Feb 23, 2021 08:40:23.056075096 CET	49718	9036	192.168.2.5	91.212.153.84
Feb 23, 2021 08:40:23.056081057 CET	49718	9036	192.168.2.5	91.212.153.84
Feb 23, 2021 08:40:23.056086063 CET	49718	9036	192.168.2.5	91.212.153.84
Feb 23, 2021 08:40:23.109719992 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.109749079 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.109766006 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.109782934 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.109798908 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.109814882 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.109831095 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.109849930 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.109869003 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.109882116 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.109899998 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.109916925 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.109920025 CET	49718	9036	192.168.2.5	91.212.153.84
Feb 23, 2021 08:40:23.109930992 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.109942913 CET	49718	9036	192.168.2.5	91.212.153.84
Feb 23, 2021 08:40:23.109952927 CET	49718	9036	192.168.2.5	91.212.153.84
Feb 23, 2021 08:40:23.109956980 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.109975100 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.109987020 CET	49718	9036	192.168.2.5	91.212.153.84
Feb 23, 2021 08:40:23.109992027 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.113658905 CET	49718	9036	192.168.2.5	91.212.153.84
Feb 23, 2021 08:40:23.113692045 CET	49718	9036	192.168.2.5	91.212.153.84
Feb 23, 2021 08:40:23.163817883 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.163847923 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.163866043 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.163883924 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.163901091 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.163914919 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.163932085 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.163949966 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.163968086 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.163975000 CET	49718	9036	192.168.2.5	91.212.153.84
Feb 23, 2021 08:40:23.163985968 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.164010048 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.164027929 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.164043903 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.164057016 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.164073944 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.164093971 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.164112091 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.164113045 CET	49718	9036	192.168.2.5	91.212.153.84
Feb 23, 2021 08:40:23.164120913 CET	49718	9036	192.168.2.5	91.212.153.84
Feb 23, 2021 08:40:23.164129019 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.164145947 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.164161921 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.164248943 CET	49718	9036	192.168.2.5	91.212.153.84
Feb 23, 2021 08:40:23.164261103 CET	49718	9036	192.168.2.5	91.212.153.84
Feb 23, 2021 08:40:23.164263964 CET	49718	9036	192.168.2.5	91.212.153.84
Feb 23, 2021 08:40:23.166469097 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.166491985 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.166610003 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.166629076 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.166822910 CET	49718	9036	192.168.2.5	91.212.153.84
Feb 23, 2021 08:40:23.166850090 CET	49718	9036	192.168.2.5	91.212.153.84
Feb 23, 2021 08:40:23.167081118 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.167100906 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.167117119 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.167133093 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.167149067 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.167167902 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.167185068 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.167236090 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.167397976 CET	49718	9036	192.168.2.5	91.212.153.84
Feb 23, 2021 08:40:23.167418957 CET	49718	9036	192.168.2.5	91.212.153.84
Feb 23, 2021 08:40:23.167423010 CET	49718	9036	192.168.2.5	91.212.153.84
Feb 23, 2021 08:40:23.217665911 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.217693090 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.217711926 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.217730045 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.217746973 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.217761993 CET	9036	49718	91.212.153.84	192.168.2.5
Feb 23, 2021 08:40:23.217778921 CET	9036	49718	91.212.153.84	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 08:39:44.691495895 CET	64344	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:39:44.730628014 CET	62060	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:39:44.740154028 CET	53	64344	8.8.8.8	192.168.2.5
Feb 23, 2021 08:39:44.779218912 CET	53	62060	8.8.8.8	192.168.2.5
Feb 23, 2021 08:39:45.486394882 CET	61805	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:39:45.543379068 CET	53	61805	8.8.8.8	192.168.2.5
Feb 23, 2021 08:39:46.681488037 CET	54795	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:39:46.730142117 CET	53	54795	8.8.8.8	192.168.2.5
Feb 23, 2021 08:39:47.484688997 CET	49557	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:39:47.541548967 CET	53	49557	8.8.8.8	192.168.2.5
Feb 23, 2021 08:39:48.200928926 CET	61733	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:39:48.258153915 CET	53	61733	8.8.8.8	192.168.2.5
Feb 23, 2021 08:39:48.261364937 CET	65447	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:39:48.312700987 CET	53	65447	8.8.8.8	192.168.2.5
Feb 23, 2021 08:39:49.133738041 CET	52441	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:39:49.216839075 CET	53	52441	8.8.8.8	192.168.2.5
Feb 23, 2021 08:39:50.872056007 CET	62176	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:39:50.921138048 CET	53	62176	8.8.8.8	192.168.2.5
Feb 23, 2021 08:39:51.670185089 CET	59596	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:39:51.721510887 CET	53	59596	8.8.8.8	192.168.2.5
Feb 23, 2021 08:39:52.497791052 CET	65296	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:39:52.549416065 CET	53	65296	8.8.8.8	192.168.2.5
Feb 23, 2021 08:39:53.853389978 CET	63183	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:39:53.910558939 CET	53	63183	8.8.8.8	192.168.2.5
Feb 23, 2021 08:39:55.442152023 CET	60151	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:39:55.493588924 CET	53	60151	8.8.8.8	192.168.2.5
Feb 23, 2021 08:40:13.955656052 CET	56969	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:40:14.015691042 CET	53	56969	8.8.8.8	192.168.2.5
Feb 23, 2021 08:40:22.075712919 CET	55161	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:40:22.290473938 CET	53	55161	8.8.8.8	192.168.2.5
Feb 23, 2021 08:40:30.885245085 CET	54757	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:40:30.945283890 CET	53	54757	8.8.8.8	192.168.2.5
Feb 23, 2021 08:40:37.830142975 CET	49992	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:40:38.041395903 CET	53	49992	8.8.8.8	192.168.2.5
Feb 23, 2021 08:40:39.956291914 CET	60075	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:40:40.899060965 CET	53	60075	8.8.8.8	192.168.2.5
Feb 23, 2021 08:40:44.864003897 CET	55016	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:40:44.920957088 CET	53	55016	8.8.8.8	192.168.2.5
Feb 23, 2021 08:40:44.984555960 CET	64345	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:40:45.042771101 CET	53	64345	8.8.8.8	192.168.2.5
Feb 23, 2021 08:40:45.509427071 CET	57128	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:40:45.558054924 CET	53	57128	8.8.8.8	192.168.2.5
Feb 23, 2021 08:40:52.009077072 CET	54791	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:40:52.060513973 CET	53	54791	8.8.8.8	192.168.2.5
Feb 23, 2021 08:40:58.732026100 CET	50463	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:40:58.947155952 CET	53	50463	8.8.8.8	192.168.2.5
Feb 23, 2021 08:41:03.406004906 CET	50394	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:41:03.465306997 CET	53	50394	8.8.8.8	192.168.2.5
Feb 23, 2021 08:41:06.286660910 CET	58530	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:41:06.343776941 CET	53	58530	8.8.8.8	192.168.2.5
Feb 23, 2021 08:41:13.806901932 CET	53813	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:41:14.826397896 CET	53813	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:41:15.792766094 CET	53	53813	8.8.8.8	192.168.2.5
Feb 23, 2021 08:41:22.557945013 CET	63732	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:41:22.615175962 CET	53	63732	8.8.8.8	192.168.2.5
Feb 23, 2021 08:41:29.611041069 CET	57344	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:41:29.668272972 CET	53	57344	8.8.8.8	192.168.2.5
Feb 23, 2021 08:41:33.882359982 CET	54450	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:41:33.936230898 CET	53	54450	8.8.8.8	192.168.2.5
Feb 23, 2021 08:41:34.144674063 CET	59261	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:41:34.203854084 CET	53	59261	8.8.8.8	192.168.2.5
Feb 23, 2021 08:41:40.148147106 CET	57151	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:41:40.196775913 CET	53	57151	8.8.8.8	192.168.2.5
Feb 23, 2021 08:41:45.525274992 CET	59413	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:41:45.585443974 CET	53	59413	8.8.8.8	192.168.2.5
Feb 23, 2021 08:41:53.790009022 CET	60516	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:41:53.838754892 CET	53	60516	8.8.8.8	192.168.2.5
Feb 23, 2021 08:41:55.965818882 CET	51649	53	192.168.2.5	8.8.8.8
Feb 23, 2021 08:41:56.041786909 CET	53	51649	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 23, 2021 08:40:22.075712919 CET	192.168.2.5	8.8.8.8	0xa521	Standard query (0)	shahzad73.casacam.net	A (IP address)	IN (0x0001)
Feb 23, 2021 08:40:30.885245085 CET	192.168.2.5	8.8.8.8	0x43aa	Standard query (0)	shahzad73.casacam.net	A (IP address)	IN (0x0001)
Feb 23, 2021 08:40:37.830142975 CET	192.168.2.5	8.8.8.8	0x85c	Standard query (0)	shahzad73.casacam.net	A (IP address)	IN (0x0001)
Feb 23, 2021 08:40:44.864003897 CET	192.168.2.5	8.8.8.8	0xe3de	Standard query (0)	shahzad73.casacam.net	A (IP address)	IN (0x0001)
Feb 23, 2021 08:40:52.009077072 CET	192.168.2.5	8.8.8.8	0xe92	Standard query (0)	shahzad73.casacam.net	A (IP address)	IN (0x0001)
Feb 23, 2021 08:40:58.732026100 CET	192.168.2.5	8.8.8.8	0x681b	Standard query (0)	shahzad73.casacam.net	A (IP address)	IN (0x0001)
Feb 23, 2021 08:41:06.286660910 CET	192.168.2.5	8.8.8.8	0x3f0d	Standard query (0)	shahzad73.casacam.net	A (IP address)	IN (0x0001)
Feb 23, 2021 08:41:13.806901932 CET	192.168.2.5	8.8.8.8	0xe5e7	Standard query (0)	shahzad73.casacam.net	A (IP address)	IN (0x0001)
Feb 23, 2021 08:41:14.826397896 CET	192.168.2.5	8.8.8.8	0xe5e7	Standard query (0)	shahzad73.casacam.net	A (IP address)	IN (0x0001)
Feb 23, 2021 08:41:22.557945013 CET	192.168.2.5	8.8.8.8	0x924e	Standard query (0)	shahzad73.casacam.net	A (IP address)	IN (0x0001)
Feb 23, 2021 08:41:29.611041069 CET	192.168.2.5	8.8.8.8	0xfa33	Standard query (0)	shahzad73.casacam.net	A (IP address)	IN (0x0001)
Feb 23, 2021 08:41:34.144674063 CET	192.168.2.5	8.8.8.8	0x99c8	Standard query (0)	shahzad73.casacam.net	A (IP address)	IN (0x0001)
Feb 23, 2021 08:41:40.148147106 CET	192.168.2.5	8.8.8.8	0x1f1a	Standard query (0)	shahzad73.casacam.net	A (IP address)	IN (0x0001)
Feb 23, 2021 08:41:45.525274992 CET	192.168.2.5	8.8.8.8	0x31da	Standard query (0)	shahzad73.casacam.net	A (IP address)	IN (0x0001)
Feb 23, 2021 08:41:53.790009022 CET	192.168.2.5	8.8.8.8	0x4858	Standard query (0)	shahzad73.casacam.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Feb 23, 2021 08:40:22.290473938 CET	8.8.8.8	192.168.2.5	0xa521	No error (0)	shahzad73.casacam.net	91.212.153.84	A (IP address)	IN (0x0001)
Feb 23, 2021 08:40:30.945283890 CET	8.8.8.8	192.168.2.5	0x43aa	No error (0)	shahzad73.casacam.net	91.212.153.84	A (IP address)	IN (0x0001)
Feb 23, 2021 08:40:38.041395903 CET	8.8.8.8	192.168.2.5	0x85c	No error (0)	shahzad73.casacam.net	91.212.153.84	A (IP address)	IN (0x0001)
Feb 23, 2021 08:40:44.920957088 CET	8.8.8.8	192.168.2.5	0xe3de	No error (0)	shahzad73.casacam.net	91.212.153.84	A (IP address)	IN (0x0001)
Feb 23, 2021 08:40:52.060513973 CET	8.8.8.8	192.168.2.5	0xe92	No error (0)	shahzad73.casacam.net	91.212.153.84	A (IP address)	IN (0x0001)
Feb 23, 2021 08:40:58.947155952 CET	8.8.8.8	192.168.2.5	0x681b	No error (0)	shahzad73.casacam.net	91.212.153.84	A (IP address)	IN (0x0001)
Feb 23, 2021 08:41:06.343776941 CET	8.8.8.8	192.168.2.5	0x3f0d	No error (0)	shahzad73.casacam.net	91.212.153.84	A (IP address)	IN (0x0001)
Feb 23, 2021 08:41:15.792766094 CET	8.8.8.8	192.168.2.5	0xe5e7	No error (0)	shahzad73.casacam.net	91.212.153.84	A (IP address)	IN (0x0001)
Feb 23, 2021 08:41:22.615175962 CET	8.8.8.8	192.168.2.5	0x924e	No error (0)	shahzad73.casacam.net	91.212.153.84	A (IP address)	IN (0x0001)
Feb 23, 2021 08:41:29.668272972 CET	8.8.8.8	192.168.2.5	0xfa33	No error (0)	shahzad73.casacam.net	91.212.153.84	A (IP address)	IN (0x0001)
Feb 23, 2021 08:41:34.203854084 CET	8.8.8.8	192.168.2.5	0x99c8	No error (0)	shahzad73.casacam.net	91.212.153.84	A (IP address)	IN (0x0001)
Feb 23, 2021 08:41:40.196775913 CET	8.8.8.8	192.168.2.5	0x1f1a	No error (0)	shahzad73.casacam.net	91.212.153.84	A (IP address)	IN (0x0001)
Feb 23, 2021 08:41:45.585443974 CET	8.8.8.8	192.168.2.5	0x31da	No error (0)	shahzad73.casacam.net	91.212.153.84	A (IP address)	IN (0x0001)
Feb 23, 2021 08:41:53.838754892 CET	8.8.8.8	192.168.2.5	0x4858	No error (0)	shahzad73.casacam.net	91.212.153.84	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: JMG Memo-Circular No 018-21.PDF.exe PID: 3540 Parent PID: 5740

General

Start time:	08:39:52
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe'
Imagebase:	0xe50000
File size:	714240 bytes
MD5 hash:	F12D78AE2CE77B187E98B382BC400E6E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.280456931.00000000041C9000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.280456931.00000000041C9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.280456931.00000000041C9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: schtasks.exe PID: 6568 Parent PID: 3540

General

Start time:	08:40:15
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GmaLrlDR' /XML 'C:\Users\user\AppData\Local\Temp\tmp1B75.tmp'
Imagebase:	0x9a0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 6576 Parent PID: 6568

General

Start time:	08:40:16
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: JMG Memo-Circular No 018-21.PDF.exe PID: 6628 Parent PID: 3540

General

Start time:	08:40:16
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x710000
File size:	714240 bytes
MD5 hash:	F12D78AE2CE77B187E98B382BC400E6E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.501005046.0000000006DD0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.501005046.0000000006DD0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.498456853.0000000005380000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.498456853.0000000005380000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.501098807.0000000006E10000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.501098807.0000000006E10000.00000004.00000001.sdmp, Author: Florian Roth Rule: NanoCore, Description: unknown, Source: 00000007.00000002.492270047.0000000002BFD000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: NanoCore, Description: unknown, Source: 00000007.00000002.496807047.0000000003E81000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.500985326.0000000006DC0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.500985326.0000000006DC0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.501114313.0000000006E20000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.501114313.0000000006E20000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.500970500.0000000006DB0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.500970500.0000000006DB0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.500950111.0000000006DA0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.500950111.0000000006DA0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.500819703.0000000006BF0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.500819703.0000000006BF0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.501154629.0000000006E60000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.501154629.0000000006E60000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.496443867.0000000003BE1000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.501030742.0000000006DE0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.501030742.0000000006DE0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.500935667.0000000006D90000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.500935667.0000000006D90000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.498042432.0000000005230000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.498042432.0000000005230000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.498042432.0000000005230000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.496714685.0000000003DA4000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.496714685.0000000003DA4000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.488093735.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.488093735.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.488093735.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.492154123.0000000002B91000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.501047468.0000000006DF0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.501047468.0000000006DF0000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.497599353.0000000005170000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.497599353.0000000005170000.00000004.00000001.sdmp, Author: Florian Roth
Reputation:	low

Analysis Process: schtasks.exe PID: 6864 Parent PID: 6628

General

Start time:	08:40:19
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpC90F.tmp'
Imagebase:	0x9a0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 6888 Parent PID: 6864

General

Start time:	08:40:19
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: JMG Memo-Circular No 018-21.PDF.exe PID: 7000 Parent PID: 904

General

Start time:	08:40:20
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe' 0
Imagebase:	0x870000
File size:	714240 bytes
MD5 hash:	F12D78AE2CE77B187E98B382BC400E6E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.352208720.0000000003E79000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.352208720.0000000003E79000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.352208720.0000000003E79000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: schtasks.exe PID: 5660 Parent PID: 7000

General

Start time:	08:40:46
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\GmaLrlDR' /XML 'C:\Users\user\AppData\Local\Temp\tmp8F7C.tmp'
Imagebase:	0xd80000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 5716 Parent PID: 5660

General

Start time:	08:40:46
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: JMG Memo-Circular No 018-21.PDF.exe PID: 6376 Parent PID: 7000

General

Start time:	08:40:47
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\JMG Memo-Circular No 018-21.PDF.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xd60000
File size:	714240 bytes
MD5 hash:	F12D78AE2CE77B187E98B382BC400E6E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.366475568.0000000003151000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000013.00000002.366475568.0000000003151000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.366560257.0000000004159000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000013.00000002.366560257.0000000004159000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.365338773.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.365338773.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000013.00000002.365338773.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report JMG Memo-Circular No 018-21.PDF.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre