Loading ...

Play interactive tourEdit tour

Windows Analysis Report dUzAkYsvl8.exe

Overview

General Information

Sample Name:dUzAkYsvl8.exe
Analysis ID:500304
MD5:9a4a8643db95a8c0fe52af8675a5d1b1
SHA1:c6beb75cbc168f9224ace74c0dcfb29df6197e82
SHA256:b4e2d864ec03943310548bfbc963a0848bd08e088429c5ce05759face5d380d2
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: NanoCore
Detected Nanocore Rat
Yara detected AntiVM autoit script
Yara detected Nanocore RAT
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Connects to many ports of the same IP (likely port scanning)
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Drops PE files with a suspicious file extension
Writes to foreign memory regions
Protects its processes via BreakOnTermination flag
Machine Learning detection for dropped file
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to simulate keystroke presses
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
OS version to string mapping found (often used in BOTs)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Contains functionality to execute programs as a different user
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to communicate with device drivers
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Installs a raw input device (often for capturing keystrokes)
File is packed with WinRar
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Contains functionality to launch a program with higher privileges
Potential key logger detected (key state polling based)
Contains functionality to simulate mouse events
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Classification

Process Tree

  • System is w10x64
  • dUzAkYsvl8.exe (PID: 6428 cmdline: 'C:\Users\user\Desktop\dUzAkYsvl8.exe' MD5: 9A4A8643DB95A8C0FE52AF8675A5D1B1)
    • cjlaro.pif (PID: 5028 cmdline: 'C:\Users\user\77066510\cjlaro.pif' txoxpdjc.qnr MD5: 279DAE7236F5F2488A4BACDE6027F730)
      • RegSvcs.exe (PID: 6364 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
        • schtasks.exe (PID: 5252 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp1EC2.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 6612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 1240 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp2720.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 6432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cjlaro.pif (PID: 2132 cmdline: 'C:\Users\user\77066510\cjlaro.pif' C:\Users\user\77066510\txoxpdjc.qnr MD5: 279DAE7236F5F2488A4BACDE6027F730)
  • RegSvcs.exe (PID: 6748 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 0 MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 6828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 6836 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 6816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cjlaro.pif (PID: 7152 cmdline: 'C:\Users\user\77066510\cjlaro.pif' C:\Users\user\77066510\txoxpdjc.qnr MD5: 279DAE7236F5F2488A4BACDE6027F730)
    • RegSvcs.exe (PID: 3676 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • wscript.exe (PID: 3460 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\77066510\Update.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • cjlaro.pif (PID: 3016 cmdline: 'C:\Users\user\77066510\cjlaro.pif' C:\Users\user\77066510\txoxpdjc.qnr MD5: 279DAE7236F5F2488A4BACDE6027F730)
    • cjlaro.pif (PID: 4504 cmdline: 'C:\Users\user\77066510\cjlaro.pif' C:\Users\user\77066510\txoxpdjc.qnr MD5: 279DAE7236F5F2488A4BACDE6027F730)
      • RegSvcs.exe (PID: 4968 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • dhcpmon.exe (PID: 4580 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 6624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.560410383.0000000006110000.00000004.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xe75:$x1: NanoCore.ClientPluginHost
  • 0xe8f:$x2: IClientNetworkHost
00000005.00000002.560410383.0000000006110000.00000004.00020000.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xe75:$x2: NanoCore.ClientPluginHost
  • 0x1261:$s3: PipeExists
  • 0x1136:$s4: PipeCreated
  • 0xeb0:$s5: IClientLoggingHost
0000001B.00000003.383284019.000000000478A000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xfddd:$x1: NanoCore.ClientPluginHost
  • 0xfe1a:$x2: IClientNetworkHost
  • 0x1394d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001B.00000003.383284019.000000000478A000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000001B.00000003.383284019.000000000478A000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfb45:$a: NanoCore
    • 0xfb55:$a: NanoCore
    • 0xfd89:$a: NanoCore
    • 0xfd9d:$a: NanoCore
    • 0xfddd:$a: NanoCore
    • 0xfba4:$b: ClientPlugin
    • 0xfda6:$b: ClientPlugin
    • 0xfde6:$b: ClientPlugin
    • 0xfccb:$c: ProjectData
    • 0x106d2:$d: DESCrypto
    • 0x1809e:$e: KeepAlive
    • 0x1608c:$g: LogClientMessage
    • 0x12287:$i: get_Connected
    • 0x10a08:$j: #=q
    • 0x10a38:$j: #=q
    • 0x10a54:$j: #=q
    • 0x10a84:$j: #=q
    • 0x10aa0:$j: #=q
    • 0x10abc:$j: #=q
    • 0x10aec:$j: #=q
    • 0x10b08:$j: #=q
    Click to see the 180 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    5.2.RegSvcs.exe.2a67f10.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x40a6:$x1: NanoCore.ClientPluginHost
    5.2.RegSvcs.exe.2a67f10.2.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x40a6:$x2: NanoCore.ClientPluginHost
    • 0x4184:$s4: PipeCreated
    • 0x40c0:$s5: IClientLoggingHost
    5.2.RegSvcs.exe.3a807ce.3.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x4083:$x1: NanoCore.ClientPluginHost
    5.2.RegSvcs.exe.3a807ce.3.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x4083:$x2: NanoCore.ClientPluginHost
    • 0x4161:$s4: PipeCreated
    • 0x409d:$s5: IClientLoggingHost
    20.3.cjlaro.pif.48ce458.0.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 118 entries

    Sigma Overview

    AV Detection:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6364, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    E-Banking Fraud:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6364, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    System Summary:

    barindex
    Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
    Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\77066510\cjlaro.pif' txoxpdjc.qnr, ParentImage: C:\Users\user\77066510\cjlaro.pif, ParentProcessId: 5028, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6364
    Sigma detected: Possible Applocker BypassShow sources
    Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\77066510\cjlaro.pif' txoxpdjc.qnr, ParentImage: C:\Users\user\77066510\cjlaro.pif, ParentProcessId: 5028, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6364

    Stealing of Sensitive Information:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6364, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Remote Access Functionality:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6364, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 20.3.cjlaro.pif.48ce458.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.496b880.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.3.cjlaro.pif.4e6e068.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.3.cjlaro.pif.4ed7078.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.500000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.3a807ce.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.61b0000.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.496b880.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.496b880.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.61b4629.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.3.cjlaro.pif.4e05058.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.3.cjlaro.pif.4ed7078.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.496b880.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.61b0000.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.3a8b041.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4899c50.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.3a8560b.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.3.cjlaro.pif.4e6e068.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.9.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.3a8b041.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4865448.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4899c50.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0000001B.00000003.383284019.000000000478A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.315424551.0000000004EA3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.555314514.0000000000502000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.359982101.00000000048CF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.363952559.00000000048CF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383566865.00000000047F3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.385418574.0000000004828000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.363022584.0000000004938000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360137256.000000000489A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000019.00000002.390692877.0000000000F62000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314549221.0000000004D88000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386694211.0000000004721000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.315994973.0000000004E6E000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.364780852.000000000489A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386537145.00000000047F2000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000019.00000002.391670186.0000000003411000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383169195.00000000047BF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.385532540.00000000010C3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000019.00000002.391832360.0000000004419000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.316144236.0000000004E6E000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360433850.0000000004903000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.560490990.00000000061B0000.00000004.00020000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360821611.000000000496B000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314585596.0000000004E06000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.315927794.0000000004E06000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.559058243.0000000003A79000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386511135.000000000478A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.316303784.0000000004DD1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383645453.000000000485B000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.366099101.0000000004902000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.315764008.0000000004E3A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.370237585.0000000004831000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386616181.0000000004756000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383202245.0000000004721000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383407849.00000000047BF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.369728872.0000000004866000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.363076349.00000000039E5000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.316393189.0000000004D88000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001E.00000002.406011428.0000000000D02000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360037831.0000000004831000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383348180.0000000004756000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314529331.0000000004E3A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360563466.0000000004903000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360697455.0000000004938000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314683885.0000000004EA3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314613880.0000000004DD1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.557771680.0000000002A31000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.366655070.0000000004902000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314455197.0000000004DD1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383504563.00000000047F3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360273834.0000000004866000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001E.00000002.411732283.00000000033A1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386566314.00000000047F2000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360354824.00000000048CF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386381872.00000000047BF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001E.00000002.412114966.00000000043A9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383082558.0000000004756000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.359604202.0000000004866000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383597669.0000000004828000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: cjlaro.pif PID: 5028, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6364, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: cjlaro.pif PID: 7152, type: MEMORYSTR
    Multi AV Scanner detection for submitted fileShow sources
    Source: dUzAkYsvl8.exeVirustotal: Detection: 52%Perma Link
    Source: dUzAkYsvl8.exeReversingLabs: Detection: 55%
    Multi AV Scanner detection for dropped fileShow sources
    Source: C:\Users\user\77066510\cjlaro.pifMetadefender: Detection: 37%Perma Link
    Source: C:\Users\user\77066510\cjlaro.pifReversingLabs: Detection: 55%
    Machine Learning detection for sampleShow sources
    Source: dUzAkYsvl8.exeJoe Sandbox ML: detected
    Machine Learning detection for dropped fileShow sources
    Source: C:\Users\user\77066510\cjlaro.pifJoe Sandbox ML: detected
    Source: 5.2.RegSvcs.exe.500000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 5.2.RegSvcs.exe.61b0000.8.unpackAvira: Label: TR/NanoCore.fadte
    Source: dUzAkYsvl8.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: dUzAkYsvl8.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: dUzAkYsvl8.exe, 00000000.00000000.289072563.0000000000222000.00000002.00020000.sdmp
    Source: Binary string: RegSvcs.pdb, source: dhcpmon.exe, 00000010.00000002.347719934.0000000000D32000.00000002.00020000.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000005.00000002.559058243.0000000003A79000.00000004.00000001.sdmp
    Source: Binary string: RegSvcs.pdb source: dhcpmon.exe
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_001FA307 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0020AFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_00219FD3 FindFirstFileExA,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0116399B GetFileAttributesW,FindFirstFileW,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_01182408 FindFirstFileW,LdrInitializeThunk,Sleep,FindNextFileW,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0117280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_011A8877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_01161A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0118CAE7 FindFirstFileW,FindNextFileW,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0117BCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0117BF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0118DE7C FindFirstFileW,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_01182408 FindFirstFileW,Sleep,FindNextFileW,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0116399B GetFileAttributesW,FindFirstFileW,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0117280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_011A8877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_01161A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0118CAE7 FindFirstFileW,FindNextFileW,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0117BCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0117BF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0118DE7C FindFirstFileW,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_0116399B GetFileAttributesW,FindFirstFileW,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_01182408 FindFirstFileW,LdrInitializeThunk,Sleep,FindNextFileW,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_0117280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_01161A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_0118CAE7 FindFirstFileW,FindNextFileW,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_0117BCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_0117BF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_0118DE7C FindFirstFileW,FindClose,

    Networking:

    barindex
    Connects to many ports of the same IP (likely port scanning)Show sources
    Source: global trafficTCP traffic: 185.19.85.175 ports 2,4,5,6,8,48562
    Source: global trafficTCP traffic: 197.210.84.227 ports 2,4,5,6,8,48562
    Uses dynamic DNS servicesShow sources
    Source: unknownDNS query: name: strongodss.ddns.net
    Source: global trafficTCP traffic: 192.168.2.3:49746 -> 197.210.84.227:48562
    Source: global trafficTCP traffic: 192.168.2.3:49764 -> 185.19.85.175:48562
    Source: RegSvcs.exe, 00000005.00000002.556279118.0000000000E08000.00000004.00000020.sdmpString found in binary or memory: http://crl.micrH
    Source: RegSvcs.exe, 00000005.00000002.556279118.0000000000E08000.00000004.00000020.sdmpString found in binary or memory: http://crl.microsof
    Source: RegSvcs.exe, 00000005.00000002.557771680.0000000002A31000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: cjlaro.pif, 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp, cjlaro.pif, 0000000A.00000002.337157263.00000000011DB000.00000002.00020000.sdmp, cjlaro.pif, 00000014.00000000.348819086.00000000011DB000.00000002.00020000.sdmpString found in binary or memory: http://www.onnodb.com/aetraymenuH(
    Source: unknownDNS traffic detected: queries for: strongodss.ddns.net
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_01172361 InternetReadFile,
    Source: unknownTCP traffic detected without corresponding DNS query: 185.19.85.175
    Source: unknownTCP traffic detected without corresponding DNS query: 185.19.85.175
    Source: unknownTCP traffic detected without corresponding DNS query: 185.19.85.175
    Source: unknownTCP traffic detected without corresponding DNS query: 185.19.85.175
    Source: unknownTCP traffic detected without corresponding DNS query: 185.19.85.175
    Source: unknownTCP traffic detected without corresponding DNS query: 185.19.85.175
    Source: unknownTCP traffic detected without corresponding DNS query: 185.19.85.175
    Source: unknownTCP traffic detected without corresponding DNS query: 185.19.85.175
    Source: unknownTCP traffic detected without corresponding DNS query: 185.19.85.175
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_01186308 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0118A0FC OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0119D8E9 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,DragQueryFileW,DragQueryFileW,LdrInitializeThunk,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,
    Source: cjlaro.pif, 00000004.00000002.334930499.000000000194A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
    Source: RegSvcs.exe, 00000005.00000002.560490990.00000000061B0000.00000004.00020000.sdmpBinary or memory string: RegisterRawInputDevices
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_011AC7D6 SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_011AC7D6 SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

    E-Banking Fraud:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 20.3.cjlaro.pif.48ce458.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.496b880.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.3.cjlaro.pif.4e6e068.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.3.cjlaro.pif.4ed7078.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.500000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.3a807ce.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.61b0000.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.496b880.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.496b880.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.61b4629.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.3.cjlaro.pif.4e05058.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.3.cjlaro.pif.4ed7078.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.496b880.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.61b0000.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.3a8b041.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4899c50.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.3a8560b.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.3.cjlaro.pif.4e6e068.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.9.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.3a8b041.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4865448.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4899c50.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0000001B.00000003.383284019.000000000478A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.315424551.0000000004EA3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.555314514.0000000000502000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.359982101.00000000048CF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.363952559.00000000048CF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383566865.00000000047F3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.385418574.0000000004828000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.363022584.0000000004938000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360137256.000000000489A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000019.00000002.390692877.0000000000F62000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314549221.0000000004D88000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386694211.0000000004721000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.315994973.0000000004E6E000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.364780852.000000000489A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386537145.00000000047F2000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000019.00000002.391670186.0000000003411000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383169195.00000000047BF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.385532540.00000000010C3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000019.00000002.391832360.0000000004419000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.316144236.0000000004E6E000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360433850.0000000004903000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.560490990.00000000061B0000.00000004.00020000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360821611.000000000496B000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314585596.0000000004E06000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.315927794.0000000004E06000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.559058243.0000000003A79000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386511135.000000000478A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.316303784.0000000004DD1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383645453.000000000485B000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.366099101.0000000004902000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.315764008.0000000004E3A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.370237585.0000000004831000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386616181.0000000004756000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383202245.0000000004721000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383407849.00000000047BF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.369728872.0000000004866000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.363076349.00000000039E5000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.316393189.0000000004D88000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001E.00000002.406011428.0000000000D02000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360037831.0000000004831000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383348180.0000000004756000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314529331.0000000004E3A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360563466.0000000004903000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360697455.0000000004938000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314683885.0000000004EA3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314613880.0000000004DD1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.557771680.0000000002A31000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.366655070.0000000004902000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314455197.0000000004DD1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383504563.00000000047F3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360273834.0000000004866000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001E.00000002.411732283.00000000033A1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386566314.00000000047F2000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360354824.00000000048CF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386381872.00000000047BF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001E.00000002.412114966.00000000043A9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383082558.0000000004756000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.359604202.0000000004866000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383597669.0000000004828000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: cjlaro.pif PID: 5028, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6364, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: cjlaro.pif PID: 7152, type: MEMORYSTR

    Operating System Destruction:

    barindex
    Protects its processes via BreakOnTermination flagShow sources
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: 01 00 00 00

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: 5.2.RegSvcs.exe.2a67f10.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.RegSvcs.exe.3a807ce.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.48ce458.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.48ce458.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.RegSvcs.exe.6110000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.4902870.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.4902870.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 20.3.cjlaro.pif.496b880.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.496b880.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 4.3.cjlaro.pif.4e6e068.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 4.3.cjlaro.pif.4e6e068.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 4.3.cjlaro.pif.4ed7078.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 4.3.cjlaro.pif.4ed7078.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.RegSvcs.exe.500000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.RegSvcs.exe.500000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.RegSvcs.exe.3a807ce.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.RegSvcs.exe.3a807ce.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.RegSvcs.exe.61b0000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.496b880.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.496b880.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 20.3.cjlaro.pif.496b880.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.496b880.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.RegSvcs.exe.61b4629.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.4902870.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.4902870.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 20.3.cjlaro.pif.4902870.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.4902870.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 20.3.cjlaro.pif.4902870.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.4902870.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 4.3.cjlaro.pif.4e05058.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 4.3.cjlaro.pif.4e05058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 4.3.cjlaro.pif.4ed7078.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 4.3.cjlaro.pif.4ed7078.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 20.3.cjlaro.pif.496b880.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.496b880.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 20.3.cjlaro.pif.4902870.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.4902870.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.RegSvcs.exe.61b0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.4902870.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.4902870.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.RegSvcs.exe.3a8b041.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.4902870.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.4902870.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 20.3.cjlaro.pif.4899c50.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.4899c50.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.RegSvcs.exe.5630000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.RegSvcs.exe.3a8560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.RegSvcs.exe.3a8560b.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 4.3.cjlaro.pif.4e6e068.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 4.3.cjlaro.pif.4e6e068.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.RegSvcs.exe.2a6cd70.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.4902870.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.4902870.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 5.2.RegSvcs.exe.2a67f10.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 5.2.RegSvcs.exe.3a8b041.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.4865448.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.4865448.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 20.3.cjlaro.pif.4899c50.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 20.3.cjlaro.pif.4899c50.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000005.00000002.560410383.0000000006110000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001B.00000003.383284019.000000000478A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001B.00000003.383284019.000000000478A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000004.00000003.315424551.0000000004EA3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000004.00000003.315424551.0000000004EA3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000005.00000002.555314514.0000000000502000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000005.00000002.555314514.0000000000502000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000014.00000003.359982101.00000000048CF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000014.00000003.359982101.00000000048CF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000014.00000003.363952559.00000000048CF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000014.00000003.363952559.00000000048CF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001B.00000003.383566865.00000000047F3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001B.00000003.383566865.00000000047F3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001B.00000003.385418574.0000000004828000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001B.00000003.385418574.0000000004828000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000014.00000003.363022584.0000000004938000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000014.00000003.363022584.0000000004938000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000014.00000003.360137256.000000000489A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000014.00000003.360137256.000000000489A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000019.00000002.390692877.0000000000F62000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000019.00000002.390692877.0000000000F62000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000004.00000003.314549221.0000000004D88000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000004.00000003.314549221.0000000004D88000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001B.00000003.386694211.0000000004721000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001B.00000003.386694211.0000000004721000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000004.00000003.315994973.0000000004E6E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000004.00000003.315994973.0000000004E6E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000014.00000003.364780852.000000000489A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000014.00000003.364780852.000000000489A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001B.00000003.386537145.00000000047F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001B.00000003.386537145.00000000047F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000019.00000002.391670186.0000000003411000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001B.00000003.383169195.00000000047BF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001B.00000003.383169195.00000000047BF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001B.00000003.385532540.00000000010C3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001B.00000003.385532540.00000000010C3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000019.00000002.391832360.0000000004419000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000004.00000003.316144236.0000000004E6E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000004.00000003.316144236.0000000004E6E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000014.00000003.360433850.0000000004903000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000014.00000003.360433850.0000000004903000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000005.00000002.560490990.00000000061B0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000014.00000003.360821611.000000000496B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000014.00000003.360821611.000000000496B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000004.00000003.314585596.0000000004E06000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000004.00000003.314585596.0000000004E06000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000004.00000003.315927794.0000000004E06000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000004.00000003.315927794.0000000004E06000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000005.00000002.559058243.0000000003A79000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001B.00000003.386511135.000000000478A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001B.00000003.386511135.000000000478A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000004.00000003.316303784.0000000004DD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000004.00000003.316303784.0000000004DD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001B.00000003.383645453.000000000485B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001B.00000003.383645453.000000000485B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000014.00000003.366099101.0000000004902000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000014.00000003.366099101.0000000004902000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000004.00000003.315764008.0000000004E3A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000004.00000003.315764008.0000000004E3A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000014.00000003.370237585.0000000004831000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000014.00000003.370237585.0000000004831000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001B.00000003.386616181.0000000004756000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001B.00000003.386616181.0000000004756000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001B.00000003.383202245.0000000004721000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001B.00000003.383202245.0000000004721000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001B.00000003.383407849.00000000047BF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001B.00000003.383407849.00000000047BF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000014.00000003.369728872.0000000004866000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000014.00000003.369728872.0000000004866000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000014.00000003.363076349.00000000039E5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000014.00000003.363076349.00000000039E5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000004.00000003.316393189.0000000004D88000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000004.00000003.316393189.0000000004D88000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001E.00000002.406011428.0000000000D02000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001E.00000002.406011428.0000000000D02000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000014.00000003.360037831.0000000004831000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000014.00000003.360037831.0000000004831000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001B.00000003.383348180.0000000004756000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001B.00000003.383348180.0000000004756000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000005.00000002.560258652.0000000005630000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000004.00000003.314529331.0000000004E3A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000004.00000003.314529331.0000000004E3A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000014.00000003.360563466.0000000004903000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000014.00000003.360563466.0000000004903000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000014.00000003.360697455.0000000004938000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000014.00000003.360697455.0000000004938000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000004.00000003.314683885.0000000004EA3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000004.00000003.314683885.0000000004EA3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000004.00000003.314613880.0000000004DD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000004.00000003.314613880.0000000004DD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000014.00000003.366655070.0000000004902000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000014.00000003.366655070.0000000004902000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000004.00000003.314455197.0000000004DD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000004.00000003.314455197.0000000004DD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001B.00000003.383504563.00000000047F3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001B.00000003.383504563.00000000047F3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000014.00000003.360273834.0000000004866000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000014.00000003.360273834.0000000004866000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001E.00000002.411732283.00000000033A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001B.00000003.386566314.00000000047F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001B.00000003.386566314.00000000047F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000014.00000003.360354824.00000000048CF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000014.00000003.360354824.00000000048CF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001B.00000003.386381872.00000000047BF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001B.00000003.386381872.00000000047BF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001E.00000002.412114966.00000000043A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001B.00000003.383082558.0000000004756000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001B.00000003.383082558.0000000004756000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000014.00000003.359604202.0000000004866000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000014.00000003.359604202.0000000004866000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000001B.00000003.383597669.0000000004828000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000001B.00000003.383597669.0000000004828000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: cjlaro.pif PID: 5028, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: cjlaro.pif PID: 5028, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: RegSvcs.exe PID: 6364, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: RegSvcs.exe PID: 6364, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: cjlaro.pif PID: 7152, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: cjlaro.pif PID: 7152, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0020626D
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_001F83C0
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0021C0B0
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_001F30FC
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_00210113
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0020F3CA
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_002033D3
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_001FE510
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_00210548
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0021C55E
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_001FF5C5
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0020364E
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_00220654
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_002066A2
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_001F2692
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0020589E
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0020F8C6
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0020397F
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_001FE973
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_001FDADD
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_001FBAD1
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_00213CBA
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_00206CDB
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0020FCDE
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_001F5D7E
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_001F3EAD
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_00213EE9
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_001FDF12
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_011335F0
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_011398F0
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_01142136
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0114A137
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0117F3A6
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0115427D
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_01142508
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0117655F
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_011398F0
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0113F730
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_01143721
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_01141903
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0115088F
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0114C8CE
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_011428F0
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_01153BA1
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_011AEA2B
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0117EAD5
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_01172D2D
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_01141D98
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_01150DE0
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_01151F2C
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0117CE8D
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_01174EB7
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0502E471
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0502E480
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0502BBD4
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_065703F0
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_01142136
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0114A137
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0117F3A6
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0115427D
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_01142508
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0117655F
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_011398F0
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_011335F0
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0113F730
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_01143721
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_01141903
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0115088F
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0114C8CE
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_011398F0
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_011428F0
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_01153BA1
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_011AEA2B
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0117EAD5
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_01172D2D
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_01141D98
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_01150DE0
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_01151F2C
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0117CE8D
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_01174EB7
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_011335F0
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_011398F0
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_0114A137
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_0115427D
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_0117655F
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_0113F730
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_01143721
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_01141903
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_0115088F
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_0114C8CE
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_01153BA1
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_01172D2D
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_01150DE0
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_01151F2C
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_0117CE8D
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_01174EB7
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_01176219 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,
    Source: cjlaro.pif.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dll
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeSection loaded: dxgidebug.dll
    Source: dUzAkYsvl8.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: 5.2.RegSvcs.exe.2a67f10.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.2a67f10.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.RegSvcs.exe.3a807ce.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.3a807ce.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.48ce458.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 20.3.cjlaro.pif.48ce458.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.48ce458.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.RegSvcs.exe.6110000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.6110000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.4902870.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 20.3.cjlaro.pif.4902870.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.4902870.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 20.3.cjlaro.pif.496b880.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 20.3.cjlaro.pif.496b880.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.496b880.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 4.3.cjlaro.pif.4e6e068.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.3.cjlaro.pif.4e6e068.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 4.3.cjlaro.pif.4e6e068.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 4.3.cjlaro.pif.4ed7078.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.3.cjlaro.pif.4ed7078.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 4.3.cjlaro.pif.4ed7078.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.RegSvcs.exe.500000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.500000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.RegSvcs.exe.500000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.RegSvcs.exe.3a807ce.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.3a807ce.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.RegSvcs.exe.3a807ce.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.RegSvcs.exe.61b0000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.61b0000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.496b880.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 20.3.cjlaro.pif.496b880.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.496b880.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 20.3.cjlaro.pif.496b880.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 20.3.cjlaro.pif.496b880.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.496b880.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.RegSvcs.exe.61b4629.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.61b4629.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.4902870.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 20.3.cjlaro.pif.4902870.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.4902870.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 20.3.cjlaro.pif.4902870.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 20.3.cjlaro.pif.4902870.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.4902870.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 20.3.cjlaro.pif.4902870.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 20.3.cjlaro.pif.4902870.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.4902870.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 4.3.cjlaro.pif.4e05058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.3.cjlaro.pif.4e05058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 4.3.cjlaro.pif.4e05058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 4.3.cjlaro.pif.4ed7078.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.3.cjlaro.pif.4ed7078.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 4.3.cjlaro.pif.4ed7078.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 20.3.cjlaro.pif.496b880.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 20.3.cjlaro.pif.496b880.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.496b880.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 20.3.cjlaro.pif.4902870.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 20.3.cjlaro.pif.4902870.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.4902870.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.RegSvcs.exe.61b0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.61b0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.4902870.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 20.3.cjlaro.pif.4902870.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.4902870.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.RegSvcs.exe.3a8b041.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.3a8b041.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.4902870.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 20.3.cjlaro.pif.4902870.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.4902870.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 20.3.cjlaro.pif.4899c50.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 20.3.cjlaro.pif.4899c50.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.4899c50.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.RegSvcs.exe.5630000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.5630000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.RegSvcs.exe.3a8560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.3a8560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.RegSvcs.exe.3a8560b.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 4.3.cjlaro.pif.4e6e068.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 4.3.cjlaro.pif.4e6e068.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 4.3.cjlaro.pif.4e6e068.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.RegSvcs.exe.2a6cd70.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.2a6cd70.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.4902870.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 20.3.cjlaro.pif.4902870.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.4902870.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 5.2.RegSvcs.exe.2a67f10.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.2a67f10.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 5.2.RegSvcs.exe.3a8b041.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 5.2.RegSvcs.exe.3a8b041.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.4865448.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 20.3.cjlaro.pif.4865448.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.4865448.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 20.3.cjlaro.pif.4899c50.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 20.3.cjlaro.pif.4899c50.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 20.3.cjlaro.pif.4899c50.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000005.00000002.560410383.0000000006110000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.560410383.0000000006110000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 0000001B.00000003.383284019.000000000478A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001B.00000003.383284019.000000000478A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000004.00000003.315424551.0000000004EA3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000004.00000003.315424551.0000000004EA3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000005.00000002.555314514.0000000000502000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.555314514.0000000000502000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000014.00000003.359982101.00000000048CF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000014.00000003.359982101.00000000048CF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000014.00000003.363952559.00000000048CF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000014.00000003.363952559.00000000048CF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001B.00000003.383566865.00000000047F3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001B.00000003.383566865.00000000047F3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001B.00000003.385418574.0000000004828000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001B.00000003.385418574.0000000004828000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000014.00000003.363022584.0000000004938000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000014.00000003.363022584.0000000004938000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000014.00000003.360137256.000000000489A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000014.00000003.360137256.000000000489A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000019.00000002.390692877.0000000000F62000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000019.00000002.390692877.0000000000F62000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000004.00000003.314549221.0000000004D88000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000004.00000003.314549221.0000000004D88000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001B.00000003.386694211.0000000004721000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001B.00000003.386694211.0000000004721000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000004.00000003.315994973.0000000004E6E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000004.00000003.315994973.0000000004E6E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000014.00000003.364780852.000000000489A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000014.00000003.364780852.000000000489A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001B.00000003.386537145.00000000047F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001B.00000003.386537145.00000000047F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000019.00000002.391670186.0000000003411000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001B.00000003.383169195.00000000047BF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001B.00000003.383169195.00000000047BF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001B.00000003.385532540.00000000010C3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001B.00000003.385532540.00000000010C3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000019.00000002.391832360.0000000004419000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000004.00000003.316144236.0000000004E6E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000004.00000003.316144236.0000000004E6E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000014.00000003.360433850.0000000004903000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000014.00000003.360433850.0000000004903000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000005.00000002.560490990.00000000061B0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.560490990.00000000061B0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000014.00000003.360821611.000000000496B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000014.00000003.360821611.000000000496B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000004.00000003.314585596.0000000004E06000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000004.00000003.314585596.0000000004E06000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000004.00000003.315927794.0000000004E06000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000004.00000003.315927794.0000000004E06000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000005.00000002.559058243.0000000003A79000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001B.00000003.386511135.000000000478A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001B.00000003.386511135.000000000478A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000004.00000003.316303784.0000000004DD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000004.00000003.316303784.0000000004DD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001B.00000003.383645453.000000000485B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001B.00000003.383645453.000000000485B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000014.00000003.366099101.0000000004902000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000014.00000003.366099101.0000000004902000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000004.00000003.315764008.0000000004E3A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000004.00000003.315764008.0000000004E3A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000014.00000003.370237585.0000000004831000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000014.00000003.370237585.0000000004831000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001B.00000003.386616181.0000000004756000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001B.00000003.386616181.0000000004756000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001B.00000003.383202245.0000000004721000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001B.00000003.383202245.0000000004721000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001B.00000003.383407849.00000000047BF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001B.00000003.383407849.00000000047BF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000014.00000003.369728872.0000000004866000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000014.00000003.369728872.0000000004866000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000014.00000003.363076349.00000000039E5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000014.00000003.363076349.00000000039E5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000004.00000003.316393189.0000000004D88000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000004.00000003.316393189.0000000004D88000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001E.00000002.406011428.0000000000D02000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001E.00000002.406011428.0000000000D02000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000014.00000003.360037831.0000000004831000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000014.00000003.360037831.0000000004831000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001B.00000003.383348180.0000000004756000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001B.00000003.383348180.0000000004756000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000005.00000002.560258652.0000000005630000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000005.00000002.560258652.0000000005630000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
    Source: 00000004.00000003.314529331.0000000004E3A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000004.00000003.314529331.0000000004E3A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000014.00000003.360563466.0000000004903000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000014.00000003.360563466.0000000004903000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000014.00000003.360697455.0000000004938000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000014.00000003.360697455.0000000004938000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000004.00000003.314683885.0000000004EA3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000004.00000003.314683885.0000000004EA3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000004.00000003.314613880.0000000004DD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000004.00000003.314613880.0000000004DD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000014.00000003.366655070.0000000004902000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000014.00000003.366655070.0000000004902000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000004.00000003.314455197.0000000004DD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000004.00000003.314455197.0000000004DD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001B.00000003.383504563.00000000047F3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001B.00000003.383504563.00000000047F3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000014.00000003.360273834.0000000004866000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000014.00000003.360273834.0000000004866000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001E.00000002.411732283.00000000033A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001B.00000003.386566314.00000000047F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001B.00000003.386566314.00000000047F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000014.00000003.360354824.00000000048CF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000014.00000003.360354824.00000000048CF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001B.00000003.386381872.00000000047BF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001B.00000003.386381872.00000000047BF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001E.00000002.412114966.00000000043A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001B.00000003.383082558.0000000004756000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001B.00000003.383082558.0000000004756000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000014.00000003.359604202.0000000004866000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000014.00000003.359604202.0000000004866000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000001B.00000003.383597669.0000000004828000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000001B.00000003.383597669.0000000004828000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: cjlaro.pif PID: 5028, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: cjlaro.pif PID: 5028, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: RegSvcs.exe PID: 6364, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: RegSvcs.exe PID: 6364, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: cjlaro.pif PID: 7152, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: cjlaro.pif PID: 7152, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_011633A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_011633A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_011633A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: String function: 0020E2F0 appears 31 times
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: String function: 0020D940 appears 50 times
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: String function: 0020D870 appears 35 times
    Source: C:\Users\user\77066510\cjlaro.pifCode function: String function: 0113E970 appears 61 times
    Source: C:\Users\user\77066510\cjlaro.pifCode function: String function: 01146B90 appears 115 times
    Source: C:\Users\user\77066510\cjlaro.pifCode function: String function: 01148115 appears 61 times
    Source: C:\Users\user\77066510\cjlaro.pifCode function: String function: 011414F7 appears 81 times
    Source: C:\Users\user\77066510\cjlaro.pifCode function: String function: 01131D10 appears 68 times
    Source: C:\Users\user\77066510\cjlaro.pifCode function: String function: 011413CB appears 42 times
    Source: C:\Users\user\77066510\cjlaro.pifCode function: String function: 01139190 appears 39 times
    Source: C:\Users\user\77066510\cjlaro.pifCode function: String function: 0114333F appears 54 times
    Source: C:\Users\user\77066510\cjlaro.pifCode function: String function: 01152160 appears 54 times
    Source: C:\Users\user\77066510\cjlaro.pifCode function: String function: 01160165 appears 53 times
    Source: C:\Users\user\77066510\cjlaro.pifCode function: String function: 011759E6 appears 146 times
    Source: C:\Users\user\77066510\cjlaro.pifCode function: String function: 01131DE0 appears 32 times
    Source: C:\Users\user\77066510\cjlaro.pifCode function: String function: 01132390 appears 32 times
    Source: C:\Users\user\77066510\cjlaro.pifCode function: String function: 011431BB appears 32 times
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_001F6FC6: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,
    Source: dUzAkYsvl8.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeFile created: C:\Users\user\77066510Jump to behavior
    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@26/37@6/2
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeFile read: C:\Windows\win.iniJump to behavior
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_001F6D06 GetLastError,FormatMessageW,
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0020963A FindResourceW,DeleteObject,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,
    Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\77066510\Update.vbs'
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
    Source: dUzAkYsvl8.exeVirustotal: Detection: 52%
    Source: dUzAkYsvl8.exeReversingLabs: Detection: 55%
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeFile read: C:\Users\user\Desktop\dUzAkYsvl8.exeJump to behavior
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: unknownProcess created: C:\Users\user\Desktop\dUzAkYsvl8.exe 'C:\Users\user\Desktop\dUzAkYsvl8.exe'
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeProcess created: C:\Users\user\77066510\cjlaro.pif 'C:\Users\user\77066510\cjlaro.pif' txoxpdjc.qnr
    Source: C:\Users\user\77066510\cjlaro.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp1EC2.tmp'
    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp2720.tmp'
    Source: unknownProcess created: C:\Users\user\77066510\cjlaro.pif 'C:\Users\user\77066510\cjlaro.pif' C:\Users\user\77066510\txoxpdjc.qnr
    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Users\user\77066510\cjlaro.pif 'C:\Users\user\77066510\cjlaro.pif' C:\Users\user\77066510\txoxpdjc.qnr
    Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\77066510\Update.vbs'
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\77066510\cjlaro.pif 'C:\Users\user\77066510\cjlaro.pif' C:\Users\user\77066510\txoxpdjc.qnr
    Source: C:\Users\user\77066510\cjlaro.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\77066510\cjlaro.pif 'C:\Users\user\77066510\cjlaro.pif' C:\Users\user\77066510\txoxpdjc.qnr
    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\77066510\cjlaro.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeProcess created: C:\Users\user\77066510\cjlaro.pif 'C:\Users\user\77066510\cjlaro.pif' txoxpdjc.qnr
    Source: C:\Users\user\77066510\cjlaro.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp1EC2.tmp'
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp2720.tmp'
    Source: C:\Users\user\77066510\cjlaro.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\77066510\cjlaro.pif 'C:\Users\user\77066510\cjlaro.pif' C:\Users\user\77066510\txoxpdjc.qnr
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_011633A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_01194AEB OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_011633A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_01194AEB OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_011633A3 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_01194AEB OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,
    Source: C:\Users\user\77066510\cjlaro.pifFile created: C:\Users\user\temp\hrennftnds.cplJump to behavior
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0119E0F6 CoInitialize,CoCreateInstance,CoUninitialize,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0118D766 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_011A557E CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6432:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6828:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6612:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6816:120:WilError_01
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{ba2baad0-dd3f-4844-a1e3-4d042f9ae8b6}
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCommand line argument: ps#
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCommand line argument: sfxname
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCommand line argument: sfxstime
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCommand line argument: STARTDLG
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeFile written: C:\Users\user\77066510\gmbvs.iniJump to behavior
    Source: 5.2.RegSvcs.exe.500000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
    Source: 5.2.RegSvcs.exe.500000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
    Source: 5.2.RegSvcs.exe.500000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
    Source: dUzAkYsvl8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
    Source: dUzAkYsvl8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
    Source: dUzAkYsvl8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
    Source: dUzAkYsvl8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: dUzAkYsvl8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
    Source: dUzAkYsvl8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
    Source: dUzAkYsvl8.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: dUzAkYsvl8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: dUzAkYsvl8.exe, 00000000.00000000.289072563.0000000000222000.00000002.00020000.sdmp
    Source: Binary string: RegSvcs.pdb, source: dhcpmon.exe, 00000010.00000002.347719934.0000000000D32000.00000002.00020000.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000005.00000002.559058243.0000000003A79000.00000004.00000001.sdmp
    Source: Binary string: RegSvcs.pdb source: dhcpmon.exe
    Source: dUzAkYsvl8.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
    Source: dUzAkYsvl8.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
    Source: dUzAkYsvl8.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
    Source: dUzAkYsvl8.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
    Source: dUzAkYsvl8.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

    Data Obfuscation:

    barindex
    .NET source code contains potential unpackerShow sources
    Source: 5.2.RegSvcs.exe.500000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 5.2.RegSvcs.exe.500000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0020E336 push ecx; ret
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0020D870 push eax; ret
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_01146BD5 push ecx; ret
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_01146BD5 push ecx; ret
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_01146BD5 push ecx; ret
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0113EE30 LoadLibraryA,GetProcAddress,
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeFile created: C:\Users\user\77066510\__tmp_rar_sfx_access_check_5166187Jump to behavior
    Source: 5.2.RegSvcs.exe.500000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
    Source: 5.2.RegSvcs.exe.500000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

    Persistence and Installation Behavior:

    barindex
    Drops PE files with a suspicious file extensionShow sources
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeFile created: C:\Users\user\77066510\cjlaro.pifJump to dropped file
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeFile created: C:\Users\user\77066510\cjlaro.pifJump to dropped file
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

    Boot Survival:

    barindex
    Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp1EC2.tmp'

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe:Zone.Identifier read attributes | delete
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_011643FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_011AA2EA IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_011643FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_011AA2EA IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_011643FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\77066510\cjlaro.pifProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\77066510\cjlaro.pifProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\77066510\cjlaro.pifProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\77066510\cjlaro.pifProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\77066510\cjlaro.pifProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\77066510\cjlaro.pifProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion:

    barindex
    Yara detected AntiVM autoit scriptShow sources
    Source: Yara matchFile source: Process Memory Space: cjlaro.pif PID: 5028, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: cjlaro.pif PID: 7152, type: MEMORYSTR
    Source: C:\Users\user\77066510\cjlaro.pif TID: 4968Thread sleep count: 74 > 30
    Source: C:\Users\user\77066510\cjlaro.pif TID: 4968Thread sleep count: 105 > 30
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5496Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Users\user\77066510\cjlaro.pif TID: 7144Thread sleep count: 68 > 30
    Source: C:\Users\user\77066510\cjlaro.pif TID: 7144Thread sleep count: 85 > 30
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 3450
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 5826
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: foregroundWindowGot 667
    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
    Source: cjlaro.pif, 00000004.00000003.320833602.0000000004CFF000.00000004.00000001.sdmpBinary or memory string: VMwaretray.exe
    Source: cjlaro.pif, 00000014.00000003.355134074.0000000003911000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VboxService.exe") Then
    Source: cjlaro.pif, 00000014.00000003.374937841.0000000003921000.00000004.00000001.sdmpBinary or memory string: rocessExists("VboxService.exe") Then
    Source: cjlaro.pif, 00000014.00000003.375222511.0000000003936000.00000004.00000001.sdmpBinary or memory string: VMwareUser.exeE97637D6X7|s
    Source: cjlaro.pif, 00000004.00000003.310288716.0000000004CD1000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
    Source: cjlaro.pif, 00000014.00000003.375222511.0000000003936000.00000004.00000001.sdmpBinary or memory string: VMwaretray.exe+3
    Source: cjlaro.pif, 00000004.00000003.330888891.0000000004CDC000.00000004.00000001.sdmpBinary or memory string: VMwareUser.exe5FB536C7
    Source: cjlaro.pif, 00000014.00000003.375222511.0000000003936000.00000004.00000001.sdmpBinary or memory string: VMwareService.exe
    Source: cjlaro.pif, 00000014.00000002.380204454.0000000001577000.00000004.00000020.sdmpBinary or memory string: om&Ven_NECVMWar&Prod_VMware_SATA
    Source: cjlaro.pif, 00000014.00000003.374937841.0000000003921000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VMwaretray.exe") Then
    Source: cjlaro.pif, 00000004.00000003.320833602.0000000004CFF000.00000004.00000001.sdmp, cjlaro.pif, 00000014.00000003.375222511.0000000003936000.00000004.00000001.sdmpBinary or memory string: VBoxTray.exe
    Source: cjlaro.pif, 00000014.00000003.374937841.0000000003921000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
    Source: cjlaro.pif, 00000014.00000002.380204454.0000000001577000.00000004.00000020.sdmpBinary or memory string: 63}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d8Y
    Source: cjlaro.pif, 00000004.00000003.310288716.0000000004CD1000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") ThenN8b
    Source: cjlaro.pif, 00000014.00000003.374937841.0000000003921000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Thennw9
    Source: cjlaro.pif, 00000004.00000003.320782139.0000000004CE3000.00000004.00000001.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") ThenN8
    Source: cjlaro.pif, 00000004.00000003.320833602.0000000004CFF000.00000004.00000001.sdmpBinary or memory string: VboxService.exe"6
    Source: cjlaro.pif, 00000014.00000003.375222511.0000000003936000.00000004.00000001.sdmpBinary or memory string: VboxService.exe
    Source: cjlaro.pif, 00000004.00000003.310288716.0000000004CD1000.00000004.00000001.sdmp, cjlaro.pif, 00000014.00000003.374937841.0000000003921000.00000004.00000001.sdmpBinary or memory string: If ProcessExists("VBoxTray.exe") Then
    Source: RegSvcs.exe, 00000005.00000002.556279118.0000000000E08000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllD
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0020D353 VirtualQuery,GetSystemInfo,
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_001FA307 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0020AFB9 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_00219FD3 FindFirstFileExA,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0116399B GetFileAttributesW,FindFirstFileW,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_01182408 FindFirstFileW,LdrInitializeThunk,Sleep,FindNextFileW,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0117280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_011A8877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_01161A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0118CAE7 FindFirstFileW,FindNextFileW,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0117BCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0117BF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0118DE7C FindFirstFileW,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_01182408 FindFirstFileW,Sleep,FindNextFileW,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0116399B GetFileAttributesW,FindFirstFileW,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0117280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_011A8877 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_01161A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0118CAE7 FindFirstFileW,FindNextFileW,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0117BCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0117BF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0118DE7C FindFirstFileW,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_0116399B GetFileAttributesW,FindFirstFileW,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_01182408 FindFirstFileW,LdrInitializeThunk,Sleep,FindNextFileW,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_0117280D FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_01161A73 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_0118CAE7 FindFirstFileW,FindNextFileW,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_0117BCB3 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_0117BF17 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_0118DE7C FindFirstFileW,FindClose,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0113EE30 LoadLibraryA,GetProcAddress,
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_00216AF3 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0020E4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0021ACA1 GetProcessHeap,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_01146374 GetStartupInfoW,__heap_init,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__ioinit,__amsg_exit,GetCommandLineW,__wsetargv,__amsg_exit,__wsetenvp,__amsg_exit,__cinit,__amsg_exit,__wwincmdln,LdrInitializeThunk,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0118A35D BlockInput,
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guard
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0020E643 SetUnhandledExceptionFilter,
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0020E4F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0020E7FB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_00217BE1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0114F170 SetUnhandledExceptionFilter,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0114A128 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_01147CCD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0114A128 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0114F170 SetUnhandledExceptionFilter,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_01147CCD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_0114A128 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_01147CCD _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Allocates memory in foreign processesShow sources
    Source: C:\Users\user\77066510\cjlaro.pifMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 500000 protect: page execute and read and write
    Source: C:\Users\user\77066510\cjlaro.pifMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: F60000 protect: page execute and read and write
    Injects a PE file into a foreign processesShow sources
    Source: C:\Users\user\77066510\cjlaro.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 500000 value starts with: 4D5A
    Source: C:\Users\user\77066510\cjlaro.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: F60000 value starts with: 4D5A
    Writes to foreign memory regionsShow sources
    Source: C:\Users\user\77066510\cjlaro.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 500000
    Source: C:\Users\user\77066510\cjlaro.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 361000
    Source: C:\Users\user\77066510\cjlaro.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: F60000
    Source: C:\Users\user\77066510\cjlaro.pifMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: DFA000
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_011643FF GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeProcess created: C:\Users\user\77066510\cjlaro.pif 'C:\Users\user\77066510\cjlaro.pif' txoxpdjc.qnr
    Source: C:\Users\user\77066510\cjlaro.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp1EC2.tmp'
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp2720.tmp'
    Source: C:\Users\user\77066510\cjlaro.pifProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\77066510\cjlaro.pif 'C:\Users\user\77066510\cjlaro.pif' C:\Users\user\77066510\txoxpdjc.qnr
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_01166C61 LogonUserW,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0113D7A0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_01163321 __wcsicoll,mouse_event,__wcsicoll,mouse_event,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0117602A GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,
    Source: RegSvcs.exe, 00000005.00000002.558858060.0000000002EBB000.00000004.00000001.sdmp, cjlaro.pif, 00000014.00000003.375222511.0000000003936000.00000004.00000001.sdmpBinary or memory string: Program Manager
    Source: cjlaro.pifBinary or memory string: Shell_TrayWnd
    Source: RegSvcs.exe, 00000005.00000002.557519174.0000000001420000.00000002.00020000.sdmpBinary or memory string: Progman
    Source: cjlaro.pif, 00000004.00000003.320782139.0000000004CE3000.00000004.00000001.sdmp, cjlaro.pif, 00000014.00000003.374937841.0000000003921000.00000004.00000001.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" Then
    Source: cjlaro.pif, 00000004.00000003.320833602.0000000004CFF000.00000004.00000001.sdmpBinary or memory string: Program ManagerP7
    Source: RegSvcs.exe, 00000005.00000002.557519174.0000000001420000.00000002.00020000.sdmpBinary or memory string: Progmanlock
    Source: RegSvcs.exe, 00000005.00000002.558858060.0000000002EBB000.00000004.00000001.sdmpBinary or memory string: Program Manager\2A
    Source: cjlaro.pif, 00000004.00000000.305322925.00000000011B2000.00000002.00020000.sdmp, cjlaro.pif, 0000000A.00000002.337116003.00000000011B2000.00000002.00020000.sdmp, cjlaro.pif, 00000014.00000000.348690315.00000000011B2000.00000002.00020000.sdmpBinary or memory string: ASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript PausedblankinfoquestionstopwarningAutoIt -
    Source: cjlaro.pif, 00000004.00000003.310288716.0000000004CD1000.00000004.00000001.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" Then}
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: GetLocaleInfoW,GetNumberFormatW,
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0020E34B cpuid
    Source: C:\Users\user\77066510\cjlaro.pifKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_0020CBB8 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,DeleteObject,CloseHandle,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0114E284 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_011A2BF9 GetUserNameW,
    Source: C:\Users\user\Desktop\dUzAkYsvl8.exeCode function: 0_2_001FA995 GetVersionExW,

    Stealing of Sensitive Information:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 20.3.cjlaro.pif.48ce458.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.496b880.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.3.cjlaro.pif.4e6e068.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.3.cjlaro.pif.4ed7078.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.500000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.3a807ce.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.61b0000.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.496b880.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.496b880.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.61b4629.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.3.cjlaro.pif.4e05058.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.3.cjlaro.pif.4ed7078.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.496b880.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.61b0000.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.3a8b041.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4899c50.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.3a8560b.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.3.cjlaro.pif.4e6e068.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.9.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.3a8b041.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4865448.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4899c50.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0000001B.00000003.383284019.000000000478A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.315424551.0000000004EA3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.555314514.0000000000502000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.359982101.00000000048CF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.363952559.00000000048CF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383566865.00000000047F3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.385418574.0000000004828000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.363022584.0000000004938000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360137256.000000000489A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000019.00000002.390692877.0000000000F62000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314549221.0000000004D88000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386694211.0000000004721000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.315994973.0000000004E6E000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.364780852.000000000489A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386537145.00000000047F2000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000019.00000002.391670186.0000000003411000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383169195.00000000047BF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.385532540.00000000010C3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000019.00000002.391832360.0000000004419000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.316144236.0000000004E6E000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360433850.0000000004903000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.560490990.00000000061B0000.00000004.00020000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360821611.000000000496B000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314585596.0000000004E06000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.315927794.0000000004E06000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.559058243.0000000003A79000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386511135.000000000478A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.316303784.0000000004DD1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383645453.000000000485B000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.366099101.0000000004902000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.315764008.0000000004E3A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.370237585.0000000004831000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386616181.0000000004756000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383202245.0000000004721000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383407849.00000000047BF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.369728872.0000000004866000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.363076349.00000000039E5000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.316393189.0000000004D88000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001E.00000002.406011428.0000000000D02000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360037831.0000000004831000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383348180.0000000004756000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314529331.0000000004E3A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360563466.0000000004903000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360697455.0000000004938000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314683885.0000000004EA3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314613880.0000000004DD1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.557771680.0000000002A31000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.366655070.0000000004902000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314455197.0000000004DD1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383504563.00000000047F3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360273834.0000000004866000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001E.00000002.411732283.00000000033A1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386566314.00000000047F2000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360354824.00000000048CF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386381872.00000000047BF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001E.00000002.412114966.00000000043A9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383082558.0000000004756000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.359604202.0000000004866000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383597669.0000000004828000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: cjlaro.pif PID: 5028, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6364, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: cjlaro.pif PID: 7152, type: MEMORYSTR
    Source: cjlaro.pifBinary or memory string: WIN_XP
    Source: cjlaro.pifBinary or memory string: WIN_XPe
    Source: cjlaro.pifBinary or memory string: WIN_VISTA
    Source: cjlaro.pif, 00000014.00000000.348690315.00000000011B2000.00000002.00020000.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte!
    Source: cjlaro.pifBinary or memory string: WIN_7
    Source: cjlaro.pifBinary or memory string: WIN_8

    Remote Access Functionality:

    barindex
    Detected Nanocore RatShow sources
    Source: cjlaro.pif, 00000004.00000003.315424551.0000000004EA3000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: RegSvcs.exe, 00000005.00000002.560410383.0000000006110000.00000004.00020000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: RegSvcs.exe, 00000005.00000002.560410383.0000000006110000.00000004.00020000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: RegSvcs.exe, 00000005.00000002.559058243.0000000003A79000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
    Source: cjlaro.pif, 00000014.00000003.363952559.00000000048CF000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 20.3.cjlaro.pif.48ce458.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.496b880.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.3.cjlaro.pif.4e6e068.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.3.cjlaro.pif.4ed7078.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.500000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.3a807ce.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.61b0000.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.496b880.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.496b880.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.61b4629.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.4.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.3.cjlaro.pif.4e05058.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.3.cjlaro.pif.4ed7078.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.496b880.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.7.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.61b0000.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.3a8b041.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4899c50.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.3a8560b.4.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 4.3.cjlaro.pif.4e6e068.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4902870.9.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 5.2.RegSvcs.exe.3a8b041.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4865448.3.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 20.3.cjlaro.pif.4899c50.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0000001B.00000003.383284019.000000000478A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.315424551.0000000004EA3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.555314514.0000000000502000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.359982101.00000000048CF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.363952559.00000000048CF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383566865.00000000047F3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.385418574.0000000004828000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.363022584.0000000004938000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360137256.000000000489A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000019.00000002.390692877.0000000000F62000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314549221.0000000004D88000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386694211.0000000004721000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.315994973.0000000004E6E000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.364780852.000000000489A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386537145.00000000047F2000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000019.00000002.391670186.0000000003411000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383169195.00000000047BF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.385532540.00000000010C3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000019.00000002.391832360.0000000004419000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.316144236.0000000004E6E000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360433850.0000000004903000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.560490990.00000000061B0000.00000004.00020000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360821611.000000000496B000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314585596.0000000004E06000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.315927794.0000000004E06000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.559058243.0000000003A79000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386511135.000000000478A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.316303784.0000000004DD1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383645453.000000000485B000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.366099101.0000000004902000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.315764008.0000000004E3A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.370237585.0000000004831000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386616181.0000000004756000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383202245.0000000004721000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383407849.00000000047BF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.369728872.0000000004866000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.363076349.00000000039E5000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.316393189.0000000004D88000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001E.00000002.406011428.0000000000D02000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360037831.0000000004831000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383348180.0000000004756000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314529331.0000000004E3A000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360563466.0000000004903000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360697455.0000000004938000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314683885.0000000004EA3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314613880.0000000004DD1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000005.00000002.557771680.0000000002A31000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.366655070.0000000004902000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000004.00000003.314455197.0000000004DD1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383504563.00000000047F3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360273834.0000000004866000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001E.00000002.411732283.00000000033A1000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386566314.00000000047F2000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.360354824.00000000048CF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.386381872.00000000047BF000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001E.00000002.412114966.00000000043A9000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383082558.0000000004756000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000014.00000003.359604202.0000000004866000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000001B.00000003.383597669.0000000004828000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: cjlaro.pif PID: 5028, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6364, type: MEMORYSTR
    Source: Yara matchFile source: Process Memory Space: cjlaro.pif PID: 7152, type: MEMORYSTR
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_0119C06C OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 4_2_011A65D3 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 10_2_0119C06C OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,#35,
    Source: C:\Users\user\77066510\cjlaro.pifCode function: 20_2_01194EFB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts2Scripting11DLL Side-Loading1Exploitation for Privilege Escalation1Disable or Modify Tools11Input Capture41System Time Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
    Default AccountsNative API1Valid Accounts2DLL Side-Loading1Deobfuscate/Decode Files or Information11LSASS MemoryAccount Discovery1Remote Desktop ProtocolInput Capture41Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsCommand and Scripting Interpreter2Scheduled Task/Job1Valid Accounts2Scripting11Security Account ManagerFile and Directory Discovery3SMB/Windows Admin SharesClipboard Data2Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsScheduled Task/Job1Logon Script (Mac)Access Token Manipulation21Obfuscated Files or Information2NTDSSystem Information Discovery36Distributed Component Object ModelInput CaptureScheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptProcess Injection312Software Packing12LSA SecretsSecurity Software Discovery121SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonScheduled Task/Job1DLL Side-Loading1Cached Domain CredentialsVirtualization/Sandbox Evasion21VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol11Jamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading12DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobValid Accounts2Proc FilesystemApplication Window Discovery11Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Virtualization/Sandbox Evasion21/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
    Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Access Token Manipulation21Network SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
    Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronProcess Injection312Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
    Compromise Software Supply ChainUnix ShellLaunchdLaunchdHidden Files and Directories1KeyloggingLocal GroupsComponent Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 500304 Sample: dUzAkYsvl8.exe Startdate: 11/10/2021 Architecture: WINDOWS Score: 100 48 strongodss.ddns.net 2->48 54 Malicious sample detected (through community Yara rule) 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 Sigma detected: NanoCore 2->58 60 8 other signatures 2->60 10 dUzAkYsvl8.exe 29 2->10         started        14 cjlaro.pif 2->14         started        16 RegSvcs.exe 2 2->16         started        18 3 other processes 2->18 signatures3 process4 file5 40 C:\Users\user\77066510\cjlaro.pif, PE32 10->40 dropped 70 Drops PE files with a suspicious file extension 10->70 20 cjlaro.pif 2 4 10->20         started        72 Writes to foreign memory regions 14->72 74 Allocates memory in foreign processes 14->74 76 Injects a PE file into a foreign processes 14->76 23 conhost.exe 16->23         started        25 conhost.exe 18->25         started        signatures6 process7 signatures8 62 Multi AV Scanner detection for dropped file 20->62 64 Machine Learning detection for dropped file 20->64 66 Writes to foreign memory regions 20->66 68 2 other signatures 20->68 27 RegSvcs.exe 1 11 20->27         started        process9 dnsIp10 50 185.19.85.175, 48562, 49764, 49791 DATAWIRE-ASCH Switzerland 27->50 52 strongodss.ddns.net 197.210.84.227, 48562 VCG-ASNG Nigeria 27->52 42 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 27->42 dropped 44 C:\Users\user\AppData\Local\...\tmp1EC2.tmp, XML 27->44 dropped 46 C:\Program Files (x86)\...\dhcpmon.exe, PE32 27->46 dropped 78 Protects its processes via BreakOnTermination flag 27->78 80 Uses schtasks.exe or at.exe to add and modify task schedules 27->80 82 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->82 32 schtasks.exe 1 27->32         started        34 schtasks.exe 1 27->34         started        file11 signatures12 process13 process14 36 conhost.exe 32->36         started        38 conhost.exe 34->38         started       

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    dUzAkYsvl8.exe52%VirustotalBrowse
    dUzAkYsvl8.exe56%ReversingLabsWin32.Trojan.Lisk
    dUzAkYsvl8.exe100%Joe Sandbox ML

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\77066510\cjlaro.pif100%Joe Sandbox ML
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%MetadefenderBrowse
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs
    C:\Users\user\77066510\cjlaro.pif37%MetadefenderBrowse
    C:\Users\user\77066510\cjlaro.pif56%ReversingLabsWin32.Packed.Generic

    Unpacked PE Files

    SourceDetectionScannerLabelLinkDownload
    5.2.RegSvcs.exe.500000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    5.2.RegSvcs.exe.61b0000.8.unpack100%AviraTR/NanoCore.fadteDownload File

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://www.onnodb.com/aetraymenuH(0%Avira URL Cloudsafe
    http://crl.microsof0%URL Reputationsafe
    http://crl.micrH0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    strongodss.ddns.net
    197.210.84.227
    truefalse
      high

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://www.onnodb.com/aetraymenuH(cjlaro.pif, 00000004.00000002.334762568.00000000011DB000.00000002.00020000.sdmp, cjlaro.pif, 0000000A.00000002.337157263.00000000011DB000.00000002.00020000.sdmp, cjlaro.pif, 00000014.00000000.348819086.00000000011DB000.00000002.00020000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000005.00000002.557771680.0000000002A31000.00000004.00000001.sdmpfalse
        high
        http://crl.microsofRegSvcs.exe, 00000005.00000002.556279118.0000000000E08000.00000004.00000020.sdmpfalse
        • URL Reputation: safe
        unknown
        http://crl.micrHRegSvcs.exe, 00000005.00000002.556279118.0000000000E08000.00000004.00000020.sdmpfalse
        • Avira URL Cloud: safe
        unknown

        Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public

        IPDomainCountryFlagASNASN NameMalicious
        185.19.85.175
        unknownSwitzerland
        48971DATAWIRE-ASCHtrue
        197.210.84.227
        strongodss.ddns.netNigeria
        29465VCG-ASNGfalse

        General Information

        Joe Sandbox Version:33.0.0 White Diamond
        Analysis ID:500304
        Start date:11.10.2021
        Start time:22:27:55
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 14m 36s
        Hypervisor based Inspection enabled:false
        Report type:light
        Sample file name:dUzAkYsvl8.exe
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
        Number of analysed new started processes analysed:45
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Detection:MAL
        Classification:mal100.troj.spyw.evad.winEXE@26/37@6/2
        EGA Information:Failed
        HDC Information:
        • Successful, ratio: 17.3% (good quality ratio 16.6%)
        • Quality average: 77.7%
        • Quality standard deviation: 26.3%
        HCA Information:
        • Successful, ratio: 80%
        • Number of executed functions: 0
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Adjust boot time
        • Enable AMSI
        • Found application associated with file extension: .exe
        Warnings:
        Show All
        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, audiodg.exe, BackgroundTransferHost.exe, consent.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
        • Excluded IPs from analysis (whitelisted): 20.50.102.62, 8.247.248.223, 8.247.248.249, 8.247.244.221, 2.20.178.56, 2.20.178.10, 20.199.120.151, 20.199.120.85, 2.20.178.24, 2.20.178.18, 20.199.120.182, 52.251.79.25, 20.54.110.249, 40.112.88.60
        • Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, client.wns.windows.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
        • Not all processes where analyzed, report is missing behavior information
        • Report creation exceeded maximum time and may have missing behavior and disassembly information.
        • Report creation exceeded maximum time and may have missing disassembly code information.
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size exceeded maximum capacity and may have missing disassembly code.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtProtectVirtualMemory calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • Report size getting too big, too many NtSetInformationFile calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        22:29:03AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Chrome C:\Users\user\77066510\cjlaro.pif C:\Users\user\77066510\txoxpdjc.qnr
        22:29:12AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdate C:\Users\user\77066510\Update.vbs
        22:29:13Task SchedulerRun new task: DHCP Monitor path: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" s>$(Arg0)
        22:29:13API Interceptor839x Sleep call for process: RegSvcs.exe modified
        22:29:16Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
        22:29:21AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASN

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
        Category:dropped
        Size (bytes):45152
        Entropy (8bit):6.149629800481177
        Encrypted:false
        SSDEEP:768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
        MD5:2867A3817C9245F7CF518524DFD18F28
        SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
        SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
        SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
        Malicious:false
        Antivirus:
        • Antivirus: Metadefender, Detection: 0%, Browse
        • Antivirus: ReversingLabs, Detection: 0%
        Reputation:unknown
        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...
        C:\Users\user\77066510\Update.vbs
        Process:C:\Users\user\77066510\cjlaro.pif
        File Type:ASCII text, with no line terminators
        Category:modified
        Size (bytes):107
        Entropy (8bit):5.002783808669296
        Encrypted:false
        SSDEEP:3:FER/n0eFH5OWXp5hCM/XKaDc1WXp5hCMQXBPcU7n:FER/lFHIWXpJfpDeWXpJc0U7
        MD5:D7D163335F9D1CCBAB796BC5C8E03BDD
        SHA1:9CEF3FE22619FAAE680C3920F62B4A89847E929F
        SHA-256:CAA9D279E13AA7ECB9A786A680BD62A60447586237442043244DA003C6DC0C61
        SHA-512:9ABD835B48875A2196D9720977444D32DD791C6A4E6EB7091E97AB1F6966F7E79982C981406E1AEBB1D7DCAD33F2AEA5A05D7CC3995932AA3EA3FB3BC6A72DE2
        Malicious:false
        Reputation:unknown
        Preview: CreateObject("WScript.Shell").Run "C:\Users\user\77066510\cjlaro.pif C:\Users\user\77066510\txoxpdjc.qnr"
        C:\Users\user\77066510\agvlvr.cpl
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):612
        Entropy (8bit):5.429702104548591
        Encrypted:false
        SSDEEP:12:xgRsRrAtZPIlB7Y4HUERSRdlCiMRwCShdzhWmeTDbeorLCU5+WopwlKVBH:xFJAv47/HXRadlCiMRpShdzz8bfrWi+B
        MD5:45CE434F3827D00D9C3AB67BD7079AE8
        SHA1:80C5FB40633B0BCD55516F89523251E6B5E3A809
        SHA-256:F3370937C56AAA052CFF38BC4DD87ED6590C53E5C12F134C509CA67AD248B808
        SHA-512:2A90270A6CA572788ADF9A61F9287FA71322F0F77BADE789B11ABDA146495E061B63ECA9052BD360B9FA38CFCAA7A7C90FCE37E61739431C4E794AC5A0EEBDCC
        Malicious:false
        Reputation:unknown
        Preview: H35179kJvnA8K5839O2q..9R1Dv6Gx04P63Cz4G873YUM64f18L10eA3BVkM0TGr5377E4qZ2K392Wb821V9Q9v65i..0460b32OWz45wkzoJVQp05u4Hq0W4772C1yjIa0X77yy9..F85JDq5wK9806r1366hCr17B9311q8205H5f7gve977afL75j8723a60630F65O707JfAUtRsCZ5792z53VcP0s449a97BTC3o6123Fg13W51v59X48Kd3kLC392nlAA53XX51RJ0187JQt4RM128w0lY5QF1hD0rqM1Z67a386Vxl0jv1XNu62eT835526p440..TYL15RA8466j02Z56o19Otx681Rx450eFB4ob7rSkeR4n5r8V378K8d3p74p9n89e812WT1Yb3H221Dxp4c20vun937796k5..F9sW35p8Er9449lynCR1VK148TE7fE88b27lM0S054QOf7n8521CfW0B4198iz9..LytE23n2TB84ha97H3A8991L2BL167l816f23K7y7C404qYxm6sS04512z0y26Uvy2pFM9m50I9oDXsS6809ZM110u2Jr7109l0957f448l063t..
        C:\Users\user\77066510\aravnorhp.pdf
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):554
        Entropy (8bit):5.5024278614068125
        Encrypted:false
        SSDEEP:12:5YOA/nxL4RlHbcZCVtuJ7p6zPl50DnsvNthFo7OFQXqsIBHeKVZ:5Y9pOcZZJ7pYPD0Ds17Fo7ZqsGR
        MD5:B661EA9D0EE79FC8D6ABDC292228A94E
        SHA1:747EC3AE658432133137C847A997460D2ACCCB31
        SHA-256:8D0D086264BE5B548B5C71591F97D2665F27BE763EADCBA958EEF49B4BC1F490
        SHA-512:4EE3927EA43037719F21704D3BAF53C6344165AEC5C726DF54AC9D199498B1C849FB3047E93C08F188E4AF397F3276AB7C43FBA16CA5A9D2721FF5C085D9FE1C
        Malicious:false
        Reputation:unknown
        Preview: 6W0g980A5N1Ex6S56i54U7Fen7Q8L4239VK5r33AZVJfMH2t9Z25ep9463YO38aR38t94B0K235436J3..K6707so05XaK2R3py71NTbs6SO1a0293E9eXv7K19U3K2677j7Gljp9A621L72L53oA13Jt2g8D774PY57NMW08dpz0TM751uXgQ453u606..n51s4WxHu7Lbt8qb06L346232hhiC..sJV3EJ2RU5wkNp990S806GA90593n80oB4xPDGSXD63657XLo7g1I98fOY06b2v6Xu3oU14K73f3OPo..6B35V5K2..gfk85m70N76626G7kZleR1F8CN2469as755iY7q4wF8C4..8p05Xn2625c87q65Qk7N34eH956G9749225afj0JlFAfEDWX40Ld5M800S5GQb6q2Dg7wsK973AJY9a6wWJGf25TmL98Ks5846c82C8a03ETLMRqK94vxieLR5S4x854WEpLe5jux81L41WQ2X16Hk87F9U69C8SQFFtk12206QhIYG87H02pi9I2a9Qok25..
        C:\Users\user\77066510\bvjuru.dll
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):569
        Entropy (8bit):5.550150501825932
        Encrypted:false
        SSDEEP:12:dtryVYKWnNoxxOc5MaFbeJCxlsQocvSfnRmlFOX1RU/e5NeWfot:dtrT6xAcSaFbeguySfnRMe1Ogen
        MD5:AC41F1ABD1FB73EB627E9A41861CB963
        SHA1:A6997F25AAA3622B5A0485AA266E0AA43F1BFA2A
        SHA-256:848DBD0A158E01F158874EE4F573A5109AF3FAAEEF5B31FC192E3896909B46DF
        SHA-512:4268492CC123118AD90F5A42E2BDB4C417341256C4510AD34A4CFB0C49F8A7830A26F43797CF3F875D3741D000DD51D9043989DC57FB00940B5FE53C3E72CDC5
        Malicious:false
        Reputation:unknown
        Preview: Q540942QUf4Dbp1nL7915N08T89t89N5jn5G6pR0vZS9998MN7r7J63093JF5S3uTtIw818m84CY2mq8tl2..428F0cL71p1..f8JdD4qL090e3vVj97gMb7kkKe87bZ253KXKZ86b9QKn8yV0t88E6z47VFuLDs4YZq281mO5wY89YhM929b4s2..on4C0321p2kX7Ldb32xsXG8P0lV87Q4U1..L2aq4Sn9HZb53auPFCFn99ly1t6EUt174b8e0suhT2Ze6LlFWew55Q30w56imc9LQRV4uf8MyZf1Kxz7H9qDy7zy55926T4517rT32H2XQJ2011p31u4X9DHL9..44ar1B35D8p44YN54y2uqVUVsu670D48dRO013RtD90zw65hb0RX05S1mst2wGQ5tU06fj08lEP76T34R3dMSGc11065lf2A0OIg5pkLJQ180s1k8V2..1G1QQ16118d3E01..087MeWs97C85zQeN97690t0j5Q9562mLXQNK2R40u691J2GBCUPSy6117G7794ZRD0A9IzG5B5AO3QLJn065973n..
        C:\Users\user\77066510\cjlaro.pif
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
        Category:dropped
        Size (bytes):776432
        Entropy (8bit):6.353910854155555
        Encrypted:false
        SSDEEP:12288:qBzZm7d9AZAYJVB7ii/XAvKxRJBnwvogSJ4M4G4aKie5DGDt2:kcneJVBvXAvwRJdwvZ5aKie5DGR2
        MD5:279DAE7236F5F2488A4BACDE6027F730
        SHA1:29A012E5259739F24480CEDFD6D5F2D860CFCDB3
        SHA-256:415850F2706681A6D80708FCA8AC18DCF97E58B8F3FDC7BC4B558AB15FC0A03F
        SHA-512:B81276FC4D915A9721DAE15AA064781A1DBA665FF4864CCBDF624E8049C1B3C12A2B374F11CFFCF6E4A5217766836EDBC5F2376FFA8765F9070CBD87D7AE2FE8
        Malicious:true
        Antivirus:
        • Antivirus: Joe Sandbox ML, Detection: 100%
        • Antivirus: Metadefender, Detection: 37%, Browse
        • Antivirus: ReversingLabs, Detection: 56%
        Reputation:unknown
        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................1b.....P.)....Q.....y.....i.......}...N......d.....`.....m.....g....Rich............PE..L....%O.........."..................d....... ....@..........................0......Jg....@...@.......@.........................T................................c................................................... ..D............................text............................... ..`.rdata....... ......................@..@.data...X........h..................@....rsrc................R..............@..@.reloc...u.......v...D..............@..B................................................................................................................................................................................................................................................................................................................
        C:\Users\user\77066510\gmbvs.ini
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):596
        Entropy (8bit):5.49650466783217
        Encrypted:false
        SSDEEP:12:nXNTQQhmCFkEOimlfljPLsd3JXyNRGleqcY5+9fkgCbyHgzhyEhhN7:XJQQ9kE1mlBPAdZXDeqcYgiQHgzkih
        MD5:D24E6E36CA0380D9AE91B95956A2B495
        SHA1:C9AC0D0AABB8FDD8775FE54958DE809E481731F1
        SHA-256:154AF62E924559C5FE675B816B6B2E327D5820CA76409DCCD2CECBB15A48C1D6
        SHA-512:CB6133F7BE480C557B6F42495284AE6394B67D0833105E3555DB091749093D689E4B13B98B9B46DC83BF0E993F9257FF9D9A8D68FA389488EB2D23815C621AEC
        Malicious:false
        Reputation:unknown
        Preview: 490bF9417QYc193z68dr35847c3..gZ99Ne7N5500ZAx70515Y9T86ubw7NiBn763z30Q6s9rKZm82G4W6zU35Z2A19b8L6CP0Hf3Y398O3UW33hWl86z3314..922q0gu8TmBW928Uv9w30T..u417pM11y5X9E10BhQz6K32q6L74T0uliFaR95lNT73Fi0Dvm75Z6P5562c9wfU0397n829zMg15o5012G422ZS0Hgg1778YS218Obs54o913V1V90c1H1795GC7828GM6Hl0r33u2D7pGY752dc4HA3dak3EhK3..61d8O294530ILFNeT20Ox32j7yJ8LwkX5w694lN8f..2DCz32Kb99o487ztlFh9871F2Jm952Q5A85w8qJ555F5JRa2BQ9OM0X..1Ft7cMc1Pk147jZGh7Na07Yi..3L3D5c60Xz6rD1X358nn1dgi1kHXa0j1aQ7q48vZBQ685..1eCU62..T09430nQQtd2asG2q1aIz86q5292lT4tWkxy37gJyS3g89TB8BO74R3ay61Kl5HZ1y591Ib863lw0R8P4517m9E3319987oQ4e33Xp87..
        C:\Users\user\77066510\hrennftnds.cpl
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):65398
        Entropy (8bit):5.57926760107341
        Encrypted:false
        SSDEEP:1536:ZeWsPd1VFU1Jj5pTkp8x0AMrqTok8Jb4C4m/le3ma+VBxo1yotcuG:ZH61VyJbxt2Hnbf03mvTxVyG
        MD5:51B278BB20BA6B5C39B96E40B19A591F
        SHA1:CCF1834F98327A25B1404EF9D679B9D8A29D5330
        SHA-256:B68324E9D8A2669F261B06AF1F96DA4CD8360CEF79F76E2AF45EA7E423F96C2D
        SHA-512:0C7B27F4227069385D57CC4983A40DDF55A782DCE47A7BFF2A484C1AE92C0C66FCC7804B7AB25CA175939A6F4816B6E769D69229052F01D94E8EE7D8EEFC4D91
        Malicious:false
        Reputation:unknown
        Preview: 44oa3..n1j49a94W8usBOZ4N2i9yT7SG03Q7W80R418EQ8QlG4Vsz9N7Tv..336f2TeAh1NBx79EeYf183bA9VBH4B9z93Zr1m8j135Pky6w..4176InN5u4bPg50242Bu1LK6BY56B49O9403m9..78FK17b2123U3C8c35A6OtMO4H0vKyA49P7501d16bz9..xus3U448h8W0w7F0F3OKD0VM8967a4P977PA96E8YQ4plfg7f7uG8..ak48DtA1m76ydl46o55j157BXClQmzH76w2792xy57j6RT79aM9L049ya54Y21x5H327BH0L01k9BQ..4k4TDJ7Wv0Dmam0NJ8fD3bJ4..X52DL84LxY26L0401Q4Q3R16M933bEP8PgU9052JAh1Dk06B0rVJ..2Xy9536r9m67OB4b0PN55J252874K0WUJ9198341xV3885V93IqG856Yt6f96y5IijQF11F1Q7374185m2212w6Org09..lbJLr65849y11siCxq7O07Y8mdZH4a85n8x2rXF3bS978oL2LTOmkw4462f6u5Iqu631o2BrAGo27i87A602m1D64W4E1l8..fuCK32619UE02o6A5ffHfRVflyy0a5QL96KSsbx2M2611of73yzc705F8..6K4E0AE6U3hA27a7o0C1ao2e86n79iAvWy1..55H2Ua12c7GMF85qQafa65QW5w856AzM6B7nj9b38aQuq1e1r0h710vq4Hf13BAi9QLWdts90..NLd38qW42RuN7X5MURKG9WCQI7P236G0T41P8FHev6V10glh338JD2e32..G4703kFbjOQDo2825W406811675J4cO..7ghZ9918R32957987ll4w551HHz98576z5D518r4P7Kib412GH01..Ehrk0q3922dA3qFN5u8P78od37Kn5036..qPDFHK2i2klYwqa8duBu7A7cNw5HnX3Vd97r856m94sm5nB
        C:\Users\user\77066510\ini
        Process:C:\Users\user\77066510\cjlaro.pif
        File Type:empty
        Category:dropped
        Size (bytes):0
        Entropy (8bit):0.0
        Encrypted:false
        SSDEEP:3::
        MD5:D41D8CD98F00B204E9800998ECF8427E
        SHA1:DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
        SHA-256:E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
        SHA-512:CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
        Malicious:false
        Reputation:unknown
        Preview:
        C:\Users\user\77066510\inprv.xl
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):568
        Entropy (8bit):5.424929682839166
        Encrypted:false
        SSDEEP:12:YuTQZItykUeGyjxyGhKzLUtIPtIsyvdVSBwKK+X2bO7nTy:LQZC5xhKzmrsTlNlTy
        MD5:FE93C18D9F3135D1657E5C1EC1738AA6
        SHA1:D4112EA632172366F983DFA963C702CB234F79EF
        SHA-256:04317DBF1CC693EC693A13A0E6A242C1C04B185A73FEE1E689768D354AF48F11
        SHA-512:0ED13CE0171DE1FE5BCD99073A34F1A45630C5140C821F715F280AA21B8912CF5DAFD42B080061AAF25799383370A68C6CD77F2A391CCFABA3923219CA55D764
        Malicious:false
        Reputation:unknown
        Preview: v6Ui6zPK6xh02mgFgXp0pcl194503sdm00576PYX525M3zT8492qb1964Xj777Gv003ez10u6mv199XvQY1m55O935fSj917vmUt..57Fl7C9E2dAsg087Q398gU8gDC6U70P0VUe1eL5S6MB46I0979G689o4uf92..454999Bto5..y0J16Xt5..97W3g95t4Q5c77j32b42wm2E66gq68m1gF9sAz4oVEvTr3V6847l6996a822e5z8S96Xt..02113N28J1sd346lSA35W17Su16eFj219M2lStKS20MgC21S3yQJj6gS70t3Vi838RotN7842532z1u91Fc665572..0lv87212406iC9o2Abqm7v84ade65i2tn8..v3zU0JG9O5br0DtQXjnO896t9F20UAlZt7o9JbWz2kLLw256697iNJRj99RRLh06QFc52..W7p2cE757b30t66v05A5tf28V524g1T234KnNio51f521665YiOE14LSx5068i8r82d12Fz947MN1bvC6878Ay6D043pqo6QyR08aMh08Pw85o4..
        C:\Users\user\77066510\jbxbxjeb.dll
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):501
        Entropy (8bit):5.469755934931095
        Encrypted:false
        SSDEEP:12:OAObNzhqrQKrMrxuHqTbSQV8hNyfFysMeRxs:dO5g5A4OjV83yN2e7s
        MD5:C80239502806F958F12FAA39BA84560E
        SHA1:F7C7780C5E5EF39C93E397CB5FEDCC3179CE0546
        SHA-256:D26440B3C6DD42923630C4E5732D635B13F50765D813527D6DCA9725D3B00811
        SHA-512:3B99D9DE4E189C567184F6AE8CDE55090E7E53CDC81B3CCD0B0DE35E5A81E1AD2E266DF739C079CBDFC53CBEEFDD66201401111308142382BB9392D81374F3B8
        Malicious:false
        Reputation:unknown
        Preview: 0hs56692t9Tc55KQd84E9440S018S47n69h53U..B0qQ3007A5Bqd80M0gfP09d441ck80040PEd95JB5Ml094bll087nT8OY782b1E5aYzYuH2yM4k42FY74T86H8U8O422667G5O25g..c73uUH0A496009PK0oE65PY24w37..7lY0L05299Kab4amvh36w3V6Dmmi2815N0V8HP1xXONbaHgSnO3893g66B5181P7IBUeT85s09265mRr1f6a83V3j0Y4ojlf4cf1oY9p52hoCSyuQpN61m5K8I..o62LY554zX2Kb2B42XJe229W161HQQDb348SnqFO20L20Xg2z5e7Z9S66Nowa5056U9YWM835ON49F0K553lhAG8ug8R290aks634h37q96934HZ09zu950WG330IB7w32N2..6v7lqC8S451zg579y42y19yTVv7x7neev6017Z3PCJ76759tZ0ILb7pT8e2D0U711J30..
        C:\Users\user\77066510\keksbhxmev.ppt
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):510
        Entropy (8bit):5.470587495063201
        Encrypted:false
        SSDEEP:12:bnEjM0hglXLpsw6TczgUO2iqWjX1AsqAcnsLGRzEmoB+NMVX1QKgeR:bnEjMgglbpspAxqjX1aAcsym+NMZawR
        MD5:85845D8C48A5A553F765E4B356CD3911
        SHA1:E4616CDD21D9534F30D4DF68A1FB72EEB31169B6
        SHA-256:ECCAADF73B9B6258B128FBB8EA6D09D818F13272DB3FFE93ABD2EBCEF1B0F78C
        SHA-512:6A5E9FE1EAB4168CFCA7A922E62037BD850354BB3B495C6B409DC9FB8DD8E7534173AFC4E38D412F859B8BC8EB86C3E57A2756D3BCCAEC79A853ABED4FCDC210
        Malicious:false
        Reputation:unknown
        Preview: 9q4f6wGoX5d7wBAnv2Or6t85hu0NMZ4JA39ai45vdpX6P01y0v9G5y125hks85925519OO8os49536x5rm..KDY25hyEu05ld0543z797747Fp919f4z51yD0TYJc92h08457u605v1Hpe31va93852n72n4kPayRgYtgJ58DQ7Ww76Di37Nt7bxXMrc37FPI8t0960e4P2543O7958H668992pU9E4TEB..8J013Q75A3M83Pw3gH5ccVL0rE7r4q2Zg4yFY5h34Q6PkV93t7I24i8298037i30q9z90GKg508XXT1f4rjH94Vryh8KzU4Avw5dzUp9m4..b68l81C32p0884qX0Vs7rw4H16a08dc7Wa86Zc4QF9G0x02lM84mH3T596YuBxNPMHU796Y3nb769..3l09422mF4QU85TkV21TIs3824463zAO90q2q55W4Cb89B3nR2nB1895U2V79Q8O5u14E610222QM7750Yo654pgOaWX6..
        C:\Users\user\77066510\krrapb.bmp
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):551
        Entropy (8bit):5.401172365993664
        Encrypted:false
        SSDEEP:12:43hqymOySBOJcbJKrD0qloPjd/0Zi7Wrhu5ZoJoQeETVMx:4INOXBOJcbJe0quPxsZMouXNEZMx
        MD5:0DE8FCFC411FF1F85AC8EF2FE25B2F58
        SHA1:1B7181B6451FBABC502369B9532E8CB16AC58540
        SHA-256:899444AB8E592CD0D5C8BC9051E4B45BA02FE317FA78512FA2531A8B8C655A8D
        SHA-512:F1CFADDC269703C88A258ACE052683D29A5C90335FBBA95F563FDD872C3BCE0CF973945C077F51DC83C885A24FD16A380E657CFA608E6D784DFDB5D30430D033
        Malicious:false
        Reputation:unknown
        Preview: Gt45978X2N80A7qq8VY7ha7405M4ai7kW5d08TK8Q3W728o84Cq9J4M983c98V728ae3E1912Wd2zUs3l880..7Pg9d36698l6x19hBU3G70lz097A64L..72h85c410qK0171p9l1rs4b83N6V0w9AG108udn4L60H064750513Pj8I0v2K6Hug86hcG6Pyq3r3h61g3Wb31gO2q8HCJ09gJ394XqQlvOM14N9P8ZQ9r97SjJ54d74rY5EC1B..D4643wG66ddN87X134w62C067O7L328O7S76290QmVZu01146bndmf3045Au9V13966596y094so226F08P5svi5u9o2656oGSJgD9Zv4764qAR9W0D5x3wd87NlfYg5u674qZN03F85UhVh8Aq26322XhOmMnc17pG1F76919W8TA..8Qn9132984T6fDKJHo0I5n9F3YGv69j5Yt7PflQT7eR6CQ90964Dfz7V3kHVm706of4871014Fg75c6a74661PPS10M9M3HE1728D325p41849h8E31VU..
        C:\Users\user\77066510\lmaqspuvfs.txt
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):575
        Entropy (8bit):5.478714072804598
        Encrypted:false
        SSDEEP:12:Q2PLglmEyURredpVS8kyCUrXYQ/xXaCGUPN/mD5n0qs0S78f0RaR:Q+gxrgVMSXYS5GXTRSJy
        MD5:2BCB8D5803ACD40E750A3EACE6FFF142
        SHA1:B9B7AAFD67D2E7F7172525D00C387F745EC5718B
        SHA-256:5FCA30CF19F3F3C6A69FFA2F61C8101E883B450731748AFAF82C8ACC7B629A70
        SHA-512:5325C49DB64ED84A27DC93CE737F2DF8A52AE5AC7D473205D1864DEE0524F1674C77A21F85A631566399C5714C35DADBF65F7553C8EB673572E8A1372055E58C
        Malicious:false
        Reputation:unknown
        Preview: 6ut297243s5zr61VV9hDAn759sN03zlBYyJ03aXQr5R52K59W8Er6269Xth2u2460R4552475U0mvsh99jHVD549D4c75nKi7g60Ko8wq0w85251265K73k05586C160H5DPbMviTB56k758pOORrZY391431e9..gS0j6nKx8q450p61135CX5U4E03dQ7sPNJyW817x1K880z5FQvJCAf19P7mL9K02a1766mM6T4x5Y13447XD5373c5D885G4uD5QhD1231v0r1278mpr63..zy77JZ1wQl7461e4KIf4w14l908141698655RD6WVS5l781pgb..Iv06c4S8O7..38l2752J6x06GxR399y0z04yVR4NXJCD0cc3E7ZHF1ce04X41R6CW2t01U8kwZST920nnjqh162Z68Kj0O63M57UV87K02YwJ4caewym..F15G841Ir8WI3YHOIc619Q58y229X1HP..I3kV8u88lM30u0U410wJ8lM9m207BJa3Q71R3E9om3i89g173bqxYXXCUrU0wr408onSJ67m173qGVrF9C4A28K6..
        C:\Users\user\77066510\mbchmfnast.lfh
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with very long lines, with no line terminators
        Category:dropped
        Size (bytes):430098
        Entropy (8bit):4.000008896555934
        Encrypted:false
        SSDEEP:6144:XtApp0ELYvuadbIZLjE5rfqN6CtwJYlF2b7SOXssuseskMe8:XtApBcvuCbIxaWN6CFIhcXsre8
        MD5:FE4F919F7FD004D0D1C5C89BCF638D11
        SHA1:11AF89C8ED4069E553FA20F204D1C8C78C60505F
        SHA-256:BF5E0A807796017B22886D1C734D579DC22CDD47A2A26560960908BB05BAA6B8
        SHA-512:87CB95067DA0E57DEA4E853E3BB23AD7DF79489A570C0182271461FF7512BA889497A756F6B1DF33561BEC569AD6D7AA171BB8E2FD7940A21470960C84265B49
        Malicious:false
        Reputation:unknown
        Preview: 58395FDA4BB3F8001A1403B0D188A2834EE36D5E40FE650F891D48B3CDDCDACCE1721234A9B602F419379B7AD42AB46D2C6D187AE8D8EE10794BA2E504803EE1ACA14DB680B85211097E8BE1088295F49B8914E3FECA38128D86BBC869CD321DE7368BC07CFC53C637C7552DDC94B0BF2C6518E33096E92A7138811F9C0C4224E6156D52293B93603F1B728B93A6F9A4736063C28700FB16F2B2D0280E1A2FC11A45E42CE6BC86DA1EE1FAA42996CD4506D489F7BFAA3AEE5B8C9348F283F364858BC459CA5751A58DD9F7C1B6497A4D40AFEB5FF7C34CD4B9E65F86217F21263D32BF551E85D54CA2A17B144EE4D140654AF7FE85FC35D6D5FD10E181C85E9232A921B9AE38FA426E7B517C3A639D525CC9985BFF072D4E65C8652D956CDCF66B613D1C815C6874CB702C45A73A29494460F3A49CB22C03EA3DD67248F959320143D89B83CF9B883D6A9769E205020E1D3D9319AA9D1E3DE4DC5F048030080001D6A4FD8ED7C0AAE01E14B2F5531BCBD56E77D4D168A1D01C6A9F5E7FC234E4A17EA7166070E67DCF7A672F983DF6DB42D2FABD48B6DEF887EF2BF01A35202A4ACBF1605E40AF06C587C0C809AC7A1319964749457B109AF6C193942449D202DD3C727CD1BAAF7B34FA967F7F00DA7B38D0C99AF5497CA3441668A7B1F646FA949CE873AFFD9711BF18314E0FDB2A34839BE5DE
        C:\Users\user\77066510\mirwsqtlk.dat
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):505
        Entropy (8bit):5.519787882016756
        Encrypted:false
        SSDEEP:12:6yKcEjor7VW5bFYovesJt9YdBCwr1rdVKo9ZQ+nAuJf:PworMFYovTtaBHrhdVKGNnAuB
        MD5:8CC56D133A86B8D76CD01C98D1FA3A93
        SHA1:30122115E8C39A622CAFFCD2F5C22F5F824CC60F
        SHA-256:7B51963066C3E05A695E929E5B128BC9A08F1819C775FF55BD60278C6189EB25
        SHA-512:DDA706FF378A7A5F51ACCF33C5FADB2D6E52BC885434F9E69C26B868167C40CC196DE47C95CDDF4B1E9C8AFD1696CAE5FF287275CFDA48E483A53C7093134253
        Malicious:false
        Reputation:unknown
        Preview: 4z50XUwCpa010uu2815Mh00YH30j6t58cvO3kj6a9N2Gj9B45J9mPljxw0628vwE7NU57ui070944C57F126d7IVFH843Ou57..3C0pI9cv036360PsWNp9P38O47oMe2311x70174b4x36h89mi8v5jn62u2t26o9o84m89qWK8A64qY2t454C7qcDf8Hf8661ky0J7KmH..g6156y4J2ENLw47881f6542716fkT76UHV3QfvA17k11859221O568eoqtpGlb03cm..C77hqwaYdMd72VF06ilLpoU16Qok93q3820M9TI76V8Yu24A216655e1T7NnD30f06lOg78D08pUq3MJ9v9Odt07e6OJj5XdFT2cqP428I1dWrt38PPQWe0Z..BYml38xJEdBDB559Lu1gNl59RX87A15Bdn99LMoF7z8m054902E37a3J13493n6uL511RVm4d50uZ30Ig63yX5FmmUy76K8p3dZ5Q398fSJA..
        C:\Users\user\77066510\msowiig.bin
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):619
        Entropy (8bit):5.492545476252811
        Encrypted:false
        SSDEEP:12:G4RShxcOTwcG24qT3Xrz/ysneuE0X6RZaMDAg7VLBkL1zPN830djQWINJ4:GgsxcOTwv24qT3XnllslFnkL1D63qjew
        MD5:D4B853315AA3430917FFE7B653D81946
        SHA1:2494B995CE6B89E533CB7D39EEAE2AC14257324D
        SHA-256:F8B28942BA82E32A875FF7974006932286F5FE1CBDF860423090EF257E0D0D06
        SHA-512:0E30D3A44668287A1449FAA5FE6E64E819A2CAD14B825252CF13B30E44D8174128F29740E21D9CC937FAA781B474C8B739373A5C763EE5C42E0B0AD1A46FF54C
        Malicious:false
        Reputation:unknown
        Preview: 2P467iUI44C73iaoX4m8w868aW7Q5qB78FC3CB479r1ePc04uA2H17f3j37p3BvYd616oOH21BabC7X91Y9209YV11..47094eL6S5m2nwyWvJGkHUW12772k96v1d28s23m02e4W284og1mS6ZDQ2n85acDl1WPX59u687008..J0ftvhi463..l59c197X5xbX63284fK2vDho0J6S9r2p5gG59907Z45l9029EFCJA16ykWN19tk0NxuO1hsapx518oClrlT937v852i19wc1m9Jd2MGNU134KV1a0992w3nZi2deIxHJxg8782kw4Mq153kJd423R108835v..6Z710pUj70hk90X7734zu320l7yJj546xmV9Sf6o9219677y0kR998rdBcZKlp289k52JEdos7pz41Q69q0yY59Q46A34328..JJU99vt4t3LsZQkNhj985nVsV2w3Hf6tg..8BFD664R1Z9GjbI1er3OO2j0T7oKRm7uz12944iz712170VQ6uS47p5B81Cm9xW457306zC980872wDEp8234n4jq36Z680p6d62339WL43H6Qy4mO9rn7pd7n436H304r18z5534Q97x3..
        C:\Users\user\77066510\oaeobeseul.bmp
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):526
        Entropy (8bit):5.470896728928171
        Encrypted:false
        SSDEEP:12:jY1q0ykCR66FNR9hBif9fYNcjGY2ohQsQ80SSh2n95DRUUW62l:rwJ6p9hBi2NSUoqs2SShKZwl
        MD5:4B682E2CFE8733C3FBC05909A49EB6F9
        SHA1:13C089692ADD164CD19BB3E6503ACE3CE62A240C
        SHA-256:8D878D2A5CE42C36802B75F854156A6885677F2970B8ED61AB3593013EAB3B83
        SHA-512:C62F9BBB28056F391FC735A691C130AEBEDC2D0E977B9454237CAF5D8468A6B07C218BE32783E00C9E526A15AE08FB0ACF0BD8DBC7F69151582D0CF49014EB51
        Malicious:false
        Reputation:unknown
        Preview: u31U6ySzFC7iMO3pNrvG35wT2dg1cu5s70E7s74v82Xw4sa6n..18xhv53D0W923..gN92l94S1b2M6815oe8193Bm2v3q9W0Gu0r31S4zE09i4284t..a0s9347HaW0242ehh870Z33Y1z4E9QE79xN062Q6W3MsF1N00k299YM49m98z2cyf8025tf6kCGNR3mj570k03k2BDK505y81bZzq2qvNK4952Jg161993bKt5t5L1u4G..10Rq6Kwfju7q59FpbtdP39531G23AEz84VB21Elt1e326y9IXp96653Qp678Sx1WcfU7G3c8m0z0106j7WA8Yt78KI6C94p10Nv63Z046949vtbOesyNI5Ek30b3j6Jd8093l5X..Z6OP2495N2P84859UAHg0a599J7sFV32U41mvR35b8vIT1dJy118559qWOdI4MMxg803Wy0c8Te15s36E811p7O13HD48t5b80S80Uu250ytQ86OI8q780k6T8SDTbY1010nGv0bMU8..
        C:\Users\user\77066510\oeobxhkbe.xls
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):542
        Entropy (8bit):5.43675555101191
        Encrypted:false
        SSDEEP:12:0VE7CIEcVHdUb8rmhaUMixFfbkNTAbyecENQQxTrHLf2Fg:0VmVCcm88cvdQxqFg
        MD5:A412CE7422B902168C9D9D0069B2BD73
        SHA1:5ACE613E2FE2D8DE9A78825ACA7EF6C8DB271885
        SHA-256:63F1F9AA632314FE0177F06317530365AACAF728C21DC03A208E1109B5784E1D
        SHA-512:42A9CE52EED8DA9E756FEA877C25F70D4CB92E5B9B13FFF7D15446A0AE68381E25B8E1FBB022701CFEDFB100F8045FA584E851D6DEE32E9AA7219140BEB450F1
        Malicious:false
        Reputation:unknown
        Preview: 9B6o76o7HZ7GD73943Bu9pj47R06jJC0l8mH52ZEdXn2023i577t20651p6LW..9K3j6036LvSz0T61321U52S2V2s9j0g163n5A6374O7p7DK5u41390jm62v6zQX5m03eW6Y9bA72N08N66b1ywF9vLR7l9YCS3f..17wQN48d09F83h16ges4917847Mi8pYx2IHN79e8184qdkae4RIOu6I00vQ3j7zuQ72l4KY4u27uBH0l50Mv09FT9t..eoGvgM7766Z86iR77GH253ASV8158e9rvB583..284Y1k846C4A24c6CjV53Q13F2Z7Q11Gf5930a168JZ9285v60RY8IL0c45ci0Cl1y62wD1bH7gL6Dcb7817Dn6579o48C3ka60056GKh58X9k31N0115701Om481O2s22h7j1DDq..320h06Mhvbvx7TN47lwO7t5o48CK16R1D5oqVk92WkkF7i1J140Dg5y8T8U287C4sv4v70Q6Z2rZI34p5L986leOF666Ch4ts36TO1Fgfw..
        C:\Users\user\77066510\omrq.cpl
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):518
        Entropy (8bit):5.498311572387548
        Encrypted:false
        SSDEEP:12:xFFdWUIP+oniolYaDrJTCzj/cb4yvcnN0IxtXhelY2EaGiZ:xFFYJT2CJTCzj/biwtxtYlYaZ
        MD5:A0421E014197E3AB334AC3588A5E91A1
        SHA1:BAF987222C5925251A6567528E797FD63CAB3A92
        SHA-256:D27CDAFD99E19C474BC1BFC89334DD828C9089E44B0D3E043D3F0EAF2950F6EC
        SHA-512:411C0994EDEE07DF1F3140F85504C4F08534D41C3B6DF1502732491CBD5931D7597A7B08072986D6E5709B0817FF3384FB0E71F684274244875A6B1B46A122C2
        Malicious:false
        Reputation:unknown
        Preview: 6w48PegnK941ic7PHZcf0r1NP5..76ifu6842f61B7590D4I1AZWSA27pcAc7gGZ5w065h3oo6ukzQlvaLo1P8g2b77m181U1X3bO6ntm1n7u3R20B052AN210En2Vl58..Rv351f2y7641Q666jp012mb3k9jN3psg10kj679Im5865hm010eX52Lng089K431q3D9p9vA6567j71..82Y41S4810Z723G58qZUD2zxWZkX4ehRu240j4aic0oL1E5o27hQWj5H0f3QqLU7V7..X6vc0k95F6T9E0A84ttwQ59FQadq8d1Oauoke82Luv2U31p87V22U7gN500x921707l8504D4oL470jKTX03C82gP8615fJQ8lMH4G9GC3vMdrf1C86rf9057988863623nm5etj72LHg46Hch7xV2us77Vq..ZgO5X4500TAo1c0GP67t9Zz9t9k5641522aAWV4n5D67z0FmxW6aEC6H5Yne029b21V071is3Z6F26..
        C:\Users\user\77066510\psrsdcrs.ppt
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):535
        Entropy (8bit):5.460228697655972
        Encrypted:false
        SSDEEP:12:qmPLn4doIG2hU8Q9O1gOT98GsoYE3WMIvteVVx2i8:qmiG2Cn9O1gOTyQYIs+m
        MD5:06617F07B96ACD92F7B97E6968FE12C1
        SHA1:A5651BBA9A8F5B7BF7BBD579E5CAA790C81518FD
        SHA-256:D9CF772CBDB83A3DBA9EE767AC14BF1CCFE30FFFD41121EBB01C6D4D4799F792
        SHA-512:A4137B9F09A467218388A7272859B438B45C65BC3DA9DDDBB2FD5822DFA676C567C5ED3D4F30F6F334DB9578B8D8EE8CCA9E2405485D941CBB0242AD2BAAB599
        Malicious:false
        Reputation:unknown
        Preview: 0i87hcn7zq38Ud0M6O..7e15N4eJ3K5X1aJu25V8zYH6hv08uX1Tl39KJk5Dbt9G0S1s5ljav7Z47V9094006655j4b5Hl3Kt328479TsS6y34pB6LmzzVdOX6DT7B9D0tdFs069532nx7xK30jPG538nOo5I1fZ776Ma98n46rxUh8QeyJ21lM3Cv027K2110O7iH640y441544B0..sZvj9C5I0244v9BcC8568Hp549jHoiF4061V6R8K46Yph334a1C378O878rP0S186B02X6UB25896J1yT..7lh13r84g3zpSg2wR570v9pKs20ALzWa2439jDm67689DY99IqB6..n236g95825254793218230Br45e6bD2871PuAIaFS11I880e9MRlZ6wqY6K9099qn27JD822..124g48r34433f2C6Pj420GAnT0M0CNW6237J4gz4d26dWFH43i00N0335A3Io1x4A12x60Zjv85nlROSEU6ZLt51i96tH0X3r29FwZs20i29tE..
        C:\Users\user\77066510\rlller.xml
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):532
        Entropy (8bit):5.494842699274943
        Encrypted:false
        SSDEEP:12:Ih0PfU2+AQOW9QR3wU4uWavcRAI/7umzYVxBmUXOuC:FtQ59Q4HaIAczYVxBZC
        MD5:03818248A8B6BAAB709E4957BE26D1A6
        SHA1:77221C21787284A0891AAD0F918046E6EA8D209E
        SHA-256:D6825227D0376E6F9704C6213D61B3E324473CBB44987CEBB645D7458D8A1322
        SHA-512:C74D82DE930B544C9E1D6C51CF6C56FE3640D23C1C39B0A6FF4F0924EA905A093C85943C6002454558CB43E76558CE5773375D124809B62C39D2BDEC1B7C35C0
        Malicious:false
        Reputation:unknown
        Preview: u8N053k31p6j04MT87Q69ij9Y9EF94WV..ji3v3gt0282dZ2Gw1H2s55U4047ec0y1..c8T1E8Z183E68D50XASx26481t28I7gE6TLr16328O91YT3hKTji9sr35hpWeN9mvYvS29M2123D3699V532F5517wD45h9884Z0I80F..02VK5U80q8P6Wm4Z73tk2R77CTOtIEPLj0U5m50KUL65qqs4WYbI0DGT019p3Uht504Hn9C6833x1fZ228eNM..Y0jP62js65265W24Og96Z19Q9U8sfnIc6zr5Mf91qtwVX1MUQ7z2049Nq28K276dvjg73gl0R0e4Zp8K81r226JC4cAW2cK2Gj79m0B9eY9560nvo399G7o6QCiHrcfQ3rP762O7972c7P1zIKGL7o299..VS25TV1L5Tn4725Bp81m7v0oqDB642Z0FsU58d4LR4LHtc66692sM39inGE6Y35i0v78TVvxq24r693pCNK657vn5Q3QRd917159Zs7US6RbuVb59V..
        C:\Users\user\77066510\tcodw.xls
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):595
        Entropy (8bit):5.491533496757466
        Encrypted:false
        SSDEEP:12:UJhER91CU87mCTa/V0TDZ0vOjWrMNltukGSAtP6gv5xLTsyaUt:ChI1C75TBefMNltbUTvvLTXa8
        MD5:026F110A0C817D206247DAABE85734B6
        SHA1:F7A4A3054513E2BC1E3DE9F4AD628E642BD0965E
        SHA-256:478020C98C3533DDBE747DC2285F4B9743BC5C3476C53D28CBC1E10A861CCD71
        SHA-512:E5A65B33A297B5C58226E0DFEF7B30E3A4F440BAE0FADB7EECADC968B3CCECB3D26A7F43208BAC1AFCFCA5F9F775A855EA677EC87516FC378F6B363006C2BDCC
        Malicious:false
        Reputation:unknown
        Preview: f7sO4yc6zm04pV5JL2quHc8e9T0C22BqPv21F5N746705..074Oq3bpPRGYa3l86905Y0T544F527Fbl59U06q..a6Tl488L9bQhe7ih3C2YT06w235R0G6u7l950873f1000Y3T6IU7LfyjhT8a672E625B6P4f14H15g6F683D6XuZ1hTT8M27O8..14S18JaNArK515zH53770n7fW27xWuvUHxXI8M39N7e1yN77P78Qy8e6dog8262jil..1rSJ7KLCB5zC9u87UggY962B39U24rU11bmnBuSHC93C29042K..697S57s1z00b139B1L081zwC1..a74R17v1O08BB7pVg58c02053H93h95GM34107VO01j25..T66ozm13411vL6iUX34bk037Bn35WLyf303j442FQFQ16S25h9h8B54BQ4Zc79607JH1X201Mz4KMQE4znmFC72j9U6u7tD7BO093W3B..XH8jBlY4xk4rTv8F207s7Ei81bM35P635o1g2962q66PCjgESH75341o0vifI1OLB4U116shk6FU1ctxvC60735x6VK5c0pdqAi9ei586..
        C:\Users\user\77066510\tstvjpwaw.ico
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):522
        Entropy (8bit):5.487676269826994
        Encrypted:false
        SSDEEP:12:3VuARexgiBiiM1Yc1NUAgaJRXYcLS184svKxiXkHFymlE4X:jReWiBiimy+zYd1EUdX
        MD5:7E48DF6BAA951ECAE39B524CF001FCCA
        SHA1:454836998D2510CF79377EA16077922CC5AB2C13
        SHA-256:6AA7A35C0628AAFB3851BE715525F94323972C5B468E70FA9E77C98A17893ED1
        SHA-512:F56C16D18C3B9FB9F7F2421E66103E1D7A901F1C9160480C732AA303A29F71CE040B0A90DDEDAD68F210FC9A2ABF50CE9A4AF15112796D73EA97817A1984712E
        Malicious:false
        Reputation:unknown
        Preview: O9E6963gB9N6aN1Nid2wW67R5z9dM799v9SV3cD8qy57k6z3d7MUHGH1F35RdQ1c1p12C..CH43X5q99yA4Y816C07NKAf63TfsJ09..C51iuMERi8xMX53pwoKd8gl9866s47oS1i42435YhQC33Zmn8b26SV6bEvk850Qb5x8467K8QdP92l37zS3OB46Qi98w47r3W6Px028t9K1Li7vKxS23F3xg..e54kX0nz77Gdj5y46SOqe7602jhWMR51253641Va121251r7b94V369w0gz21k9llU8J1110Y..3i7vAoK08316V5227N824VsS0Dm165DTTj926I2F124833ftC4TtX1570h88400Wz66951q5541O0Td4Hk683Fv61jSCHHy8A83Z..w1WQ6S0pV0TZh6BYGIr663Lj54eK6613M3dB6qJ0npq6Ec555RezV680EvF84p8QKG20Yj6S28..3m2bR0079106p0IiC629m398186yZ2v4yXn37T11n..
        C:\Users\user\77066510\txoxpdjc.qnr
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:data
        Category:dropped
        Size (bytes):96502020
        Entropy (8bit):7.090532095529658
        Encrypted:false
        SSDEEP:98304:mnLDOE6//KHPJqqs2C7sIJ1+UdhsPQ36hX7jWcW3b3Mr0O1dElqhA1GJNkAL84Oh:3
        MD5:A6B5973B2AB8621E18DE5325194D4217
        SHA1:AE4F38F9D99FE7CAA0DFD1A8C20F9A8645C1AD19
        SHA-256:9F205B1613138A4CEB7942223C7654D575062ECB54D3CF54CDF1BB3E56BC2A6E
        SHA-512:938CD33CDC47F8BF9E588C9C2D4D9DF17C3866D69CD44527F08003CC1F50A96BDDDE7AD268D4FF3B5CDDEBAEAC44C9A888433172D5747B3AB419283D57414BE6
        Malicious:false
        Reputation:unknown
        Preview: ..;.=.....w.d]M.7.(......{uS......#.c.s...@..M...IMU..*[D.;..dx...1....J..$....Rv....o.$Vx....q.d+.[...._.@J.+.......8.8.V.k.X.b.1.O.6.t.4.U.6.4.X.8.0.s.y.0.J.p.b.J.r.E.3.6.U.9.r.2.E.3.f.Q.M.W.O.9.6.a.....9.a.K.0.1.O.a.4.8.6.a.X.2.3.K.F.8.N.7.c.5.4.V.3.g.9.Q.S.w.f.0.8.f.1.0........>..X..U...D.M..uy...er:.H..p......u..(Z@.yDU,...P....y..L.o8..w..g..@1.&%..S..]e.K.E.:..G$......9.Z...bMo.fHVo?..,.}...#......#2;.A..V.>.zg]...A..G..v.^~..|....l....3.2.1.2.4.Q.s.M.S.f.n.....W9qRk.M....2o.R.T.~.q..<..$D.R...O-.Wc.m..B........m...xo.}..$...S.2.?s...A5.9.....<.O.s..k..}.....W.5...... ..e.a...^7q^py.F9.+.$ef..4.xO...n......EQ.#..)[.-......qcO...+.!V6H...GYd.we./...I......<.......f.G1q...G..\X;.+n.)h.....-.tL.J.O.[........j^M..J..o...!.W.a..ug.Z.J.d........1..wZ$.y..P..Y...W.u.&.........z,.gD9.f.1.*./....3...mdq..y.Y...^.....*q...U.'..T.xh.!l&n.{#.v.._......N....LD......N........F.1...}u/.9.u.S..2."8#./.3..^.Vw......\..,!-dr7.p.."....P.KD..%.j..`.#..(..._f..Z
        C:\Users\user\77066510\vdxnbnfvi.pdf
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):571
        Entropy (8bit):5.496370279162565
        Encrypted:false
        SSDEEP:
        MD5:F35202D8C9FD1328ACF1397B5D6E9BF8
        SHA1:8F86894D08EF2AF26E3A3B4EAD2FBB4135FFB2AB
        SHA-256:5E088E5B883EB50CF8BB1820B6003D8B82DA35969DEB5A9BA8F606AB1E5F6DF6
        SHA-512:3C53300A425281738AEB6DF03D6B20E59A7BBF10B7695D8A8B2C91F9FA428D48F874DA546E9D78F65D55CD0ACE5E6225F00DDBD7A993FACD2131F6F9391513C7
        Malicious:false
        Reputation:unknown
        Preview: R3PxX43qOZ6h9N0tl61tRS1zgm5613195k971wU9yt9H869R52Jo00jJ2aQm4l7KOBp5F0kp54PX23R1237A1LYF5cJ48Xs07Ru96QA5395KEm338f6tO2U1A2h7i117Ux669wC8C3V94822mdor4p1mk..545F8uK74aqb377nRXmA4831jfo04K6jFIu110Hs6Ff2S8120424079q6z70mx24zq09911IDpt1..B8ipPqOgkg67Fj70492GPqSzm3MwKM0i9URKN73p5jtO49M4ZB4g623z9xY7dq490X20fEv23w1uy9CB6Nws4Aw317xhfSbV95BLN..KOt86Zqzh435E0W1R4c69uc9K2us56T7bq0Gv3L52AK2k038ONG7K17WQ2725Y..4078A0..x4ZCb29C800F227t9ou94GAg876eV4tQP2iUQPW1n..Nylcy1k2MW7..9405528E76s1L72oN539h5W29z6H4f33V4cc6JQZN8xc4M263371R0359511Vv91BYO9xvY8916fS8zzj4L423915mB9BQ66L8fjzf385..
        C:\Users\user\77066510\xfjtfdxub.cpl
        Process:C:\Users\user\Desktop\dUzAkYsvl8.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):546
        Entropy (8bit):5.4988646271397466
        Encrypted:false
        SSDEEP:
        MD5:F04CA2A967FC764A36FAA9308CF33F48
        SHA1:A5C2DDB13912B1C5EF46B0BDDA7CC76031377CC9
        SHA-256:9343D1C8FF4B8D5D2B9FDA129AC44AA61F7B07BC5681C68088B997EDE440CFEA
        SHA-512:7B324450F41166AB33C26466DC8BFBAD1C84AE8B66CE38FF8C37ABD365A083738B3E8E9D1E5F05D68514B071321B29D45ED6E7D2009D4B13EF27F7876E937D0C
        Malicious:false
        Reputation:unknown
        Preview: M493C155X97O876a58tcFb29B51297QOnbu322ar50o2q0Qqt6b2Nw7e117I05m2Qn38F06yYOl98..gc19QC66as81v853Wz6456Yp4lwI7x1LPo7W6tIyM63u2Av050gIn32444T76..2cxJ7214JH9077dH92Mf18N6m4x1g86v3w9vGa9383T3sxqaV471e1WAa68de8qb36Hd57RGLHRf5TuuQXjAEXK319C6300Y2Fu9l248e13Px2fiOVBz0Y2749h0hJ27Mw0587Jhz9LlVww7uK24pPlr2x5j32XY43xc104WLgqw66t1H6W348cYg0xm5A..822zg47hKqnh43Ss94E4BB9Km2yaX23vz472M9b34r2Fb42Yj336R2Yi6z11N9097032p9dq1z955uCq76oLg28t..6Q36fg0a4yJ8plKm9e80Np01H66S2WZ8Zu140lS50fe8A98V79V8ejnC3NX7mf3437c19614l0j570OV751HLZk40m6STWSOT9dS80Np0E2a98wY18Z9Z6b3..
        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log
        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        File Type:ASCII text, with CRLF line terminators
        Category:modified
        Size (bytes):142
        Entropy (8bit):5.090621108356562
        Encrypted:false
        SSDEEP:
        MD5:8C0458BB9EA02D50565175E38D577E35
        SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
        SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
        SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
        Malicious:false
        Reputation:unknown
        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
        Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        File Type:ASCII text, with CRLF line terminators
        Category:modified
        Size (bytes):142
        Entropy (8bit):5.090621108356562
        Encrypted:false
        SSDEEP:
        MD5:8C0458BB9EA02D50565175E38D577E35
        SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
        SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
        SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
        Malicious:false
        Reputation:unknown
        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
        C:\Users\user\AppData\Local\Temp\tmp1EC2.tmp
        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):1320
        Entropy (8bit):5.135668813522653
        Encrypted:false
        SSDEEP:
        MD5:8CAD1B41587CED0F1E74396794F31D58
        SHA1:11054BF74FCF5E8E412768035E4DAE43AA7B710F
        SHA-256:3086D914F6B23268F8A12CB1A05516CD5465C2577E1D1E449F1B45C8E5E8F83C
        SHA-512:99C2EF89029DE51A866DF932841684B7FC912DF21E10E2DD0D09E400203BBDC6CBA6319A31780B7BF8B286D2CEA8EA3FC7D084348BF2F002AB4F5A34218CCBEF
        Malicious:true
        Reputation:unknown
        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
        C:\Users\user\AppData\Local\Temp\tmp2720.tmp
        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):1310
        Entropy (8bit):5.109425792877704
        Encrypted:false
        SSDEEP:
        MD5:5C2F41CFC6F988C859DA7D727AC2B62A
        SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
        SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
        SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
        Malicious:false
        Reputation:unknown
        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        File Type:Non-ISO extended-ASCII text, with no line terminators
        Category:dropped
        Size (bytes):8
        Entropy (8bit):3.0
        Encrypted:false
        SSDEEP:
        MD5:F6112EADAC856DAAE9732D589993F43F
        SHA1:0DE653A9EA324DC51954C5FA1E58331AC7B8038C
        SHA-256:AD578EF8FC5B61D19BB496C0720C05E1FEF5D5B5EA8EBC40390D3D4C336DC4F8
        SHA-512:184F1EDB675AE8829090176439A63AA69E9CCF1B7040BD23938EFD3C6245C5DDAF019442F8D567E71CB4D9BB5E50DE74E0536121817E36C0C2E7D7670D8C6CAF
        Malicious:true
        Reputation:unknown
        Preview: .s.5A..H
        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        File Type:ASCII text, with no line terminators
        Category:dropped
        Size (bytes):57
        Entropy (8bit):4.830795005765378
        Encrypted:false
        SSDEEP:
        MD5:08E799E8E9B4FDA648F2500A40A11933
        SHA1:AC76B5E20DED247803448A2F586731ED7D84B9F3
        SHA-256:D46E34924067EB071D1F031C0BC015F4B711EDCE64D8AE00F24F29E73ECB71DB
        SHA-512:5C5701A86156D573BE274E73615FD6236AC89630714863A4CB2639EEC8EC1BE746839EBF8A9AEBA0A9BE326AF6FA02D8F9BD7A93D3FFB139BADE945572DF5FE9
        Malicious:false
        Reputation:unknown
        Preview: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        C:\Users\user\temp\hrennftnds.cpl
        Process:C:\Users\user\77066510\cjlaro.pif
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):82
        Entropy (8bit):5.0087305542018905
        Encrypted:false
        SSDEEP:
        MD5:EC8A6D0D840B97981D8DA9935499D168
        SHA1:002DCDC5B737749AEAC14B1B1F50DC83B05429AA
        SHA-256:2A33D572C8D852E5B135B7AC9F521FCF1E8CA030DEAF672594C180A7845017FC
        SHA-512:17D47FA260D6C06B9106EEDD92759B99DDFB3DF417D070B9BC28CB84FCCB69F258B350C5249D428595057AED972588D29558606B9611D43319B97736015E2201
        Malicious:false
        Reputation:unknown
        Preview: [S3tt!ng]..stpth=%userprofile%..Key=Chrome..Dir3ctory=77066510..ExE_c=cjlaro.pif..
        \Device\ConDrv
        Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        File Type:ASCII text, with CRLF, LF line terminators
        Category:dropped
        Size (bytes):215
        Entropy (8bit):4.911407397013505
        Encrypted:false
        SSDEEP:
        MD5:623152A30E4F18810EB8E046163DB399
        SHA1:5D640A976A0544E2DDA22E9DF362F455A05CFF2A
        SHA-256:4CA51BAF6F994B93FE9E1FDA754A4AE74277360C750C04B630DA3DEC33E65FEA
        SHA-512:1AD53476A05769502FF0BCA9E042273237804B63873B0D5E0613936B91766A444FCA600FD68AFB1EF2EA2973242CF1A0FF617522D719F2FA63DF074E118F370B
        Malicious:false
        Reputation:unknown
        Preview: Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved......The following installation error occurred:..1: Assembly not found: '0'...

        Static File Info

        General

        File type:PE32 executable (GUI) Intel 80386, for MS Windows
        Entropy (8bit):7.823508667946661
        TrID:
        • Win32 Executable (generic) a (10002005/4) 99.96%
        • Generic Win/DOS Executable (2004/3) 0.02%
        • DOS Executable Generic (2002/1) 0.02%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
        File name:dUzAkYsvl8.exe
        File size:1021780
        MD5:9a4a8643db95a8c0fe52af8675a5d1b1
        SHA1:c6beb75cbc168f9224ace74c0dcfb29df6197e82
        SHA256:b4e2d864ec03943310548bfbc963a0848bd08e088429c5ce05759face5d380d2
        SHA512:05d404c9422c2da367135f616a8b61b6adc68dc3f8f0b3a070f2071ec01de8c2aeafe5a63aea6e306fdfd299c43ef792efcfd9b555dcda9b3ff9e44872a8b4c0
        SSDEEP:24576:rAOcZEh5lwWkAZ5HrNUWTq6ai0bagi7vzJV:tWWbL1Tq6d4a5vT
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...,...._......._..'...._f.'...._..'..

        File Icon

        Icon Hash:b491b4ecd336fb5b

        Static PE Info

        General

        Entrypoint:0x41e1f9
        Entrypoint Section:.text
        Digitally signed:false
        Imagebase:0x400000
        Subsystem:windows gui
        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
        DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Time Stamp:0x5E7C7DC7 [Thu Mar 26 10:02:47 2020 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:5
        OS Version Minor:1
        File Version Major:5
        File Version Minor:1
        Subsystem Version Major:5
        Subsystem Version Minor:1
        Import Hash:fcf1390e9ce472c7270447fc5c61a0c1

        Entrypoint Preview

        Instruction
        call 00007F5150A9319Fh
        jmp 00007F5150A92B93h
        cmp ecx, dword ptr [0043D668h]
        jne 00007F5150A92D05h
        ret
        jmp 00007F5150A93315h
        ret
        and dword ptr [ecx+04h], 00000000h
        mov eax, ecx
        and dword ptr [ecx+08h], 00000000h
        mov dword ptr [ecx+04h], 00433068h
        mov dword ptr [ecx], 00434284h
        ret
        push ebp
        mov ebp, esp
        push esi
        push dword ptr [ebp+08h]
        mov esi, ecx
        call 00007F5150A86111h
        mov dword ptr [esi], 00434290h
        mov eax, esi
        pop esi
        pop ebp
        retn 0004h
        and dword ptr [ecx+04h], 00000000h
        mov eax, ecx
        and dword ptr [ecx+08h], 00000000h
        mov dword ptr [ecx+04h], 00434298h
        mov dword ptr [ecx], 00434290h
        ret
        lea eax, dword ptr [ecx+04h]
        mov dword ptr [ecx], 00434278h
        push eax
        call 00007F5150A95EADh
        pop ecx
        ret
        push ebp
        mov ebp, esp
        push esi
        mov esi, ecx
        lea eax, dword ptr [esi+04h]
        mov dword ptr [esi], 00434278h
        push eax
        call 00007F5150A95E96h
        test byte ptr [ebp+08h], 00000001h
        pop ecx
        je 00007F5150A92D0Ch
        push 0000000Ch
        push esi
        call 00007F5150A922CFh
        pop ecx
        pop ecx
        mov eax, esi
        pop esi
        pop ebp
        retn 0004h
        push ebp
        mov ebp, esp
        sub esp, 0Ch
        lea ecx, dword ptr [ebp-0Ch]
        call 00007F5150A92C6Eh
        push 0043A410h
        lea eax, dword ptr [ebp-0Ch]
        push eax
        call 00007F5150A95595h
        int3
        push ebp
        mov ebp, esp
        sub esp, 0Ch

        Rich Headers

        Programming Language:
        • [ C ] VS2008 SP1 build 30729
        • [EXP] VS2015 UPD3.1 build 24215
        • [LNK] VS2015 UPD3.1 build 24215
        • [IMP] VS2008 SP1 build 30729
        • [C++] VS2015 UPD3.1 build 24215
        • [RES] VS2015 UPD3 build 24213

        Data Directories

        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x3b5400x34.rdata
        IMAGE_DIRECTORY_ENTRY_IMPORT0x3b5740x3c.rdata
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x620000x4c28.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x670000x210c.reloc
        IMAGE_DIRECTORY_ENTRY_DEBUG0x397d00x54.rdata
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x342180x40.rdata
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x320000x260.rdata
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3aaec0x120.rdata
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x10000x305810x30600False0.589268410853data6.70021125825IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        .rdata0x320000xa3320xa400False0.455030487805data5.23888424127IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .data0x3d0000x238b00x1200False0.368272569444data3.83993526939IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
        .gfids0x610000xe80x200False0.333984375data2.12166381533IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .rsrc0x620000x4c280x4e00False0.602263621795data6.36874241417IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .reloc0x670000x210c0x2200False0.786534926471data6.61038519378IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

        Resources

        NameRVASizeTypeLanguageCountry
        PNG0x625240xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States
        PNG0x6306c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States
        RT_ICON0x646180x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 134243974, next used block 1626799870
        RT_DIALOG0x649000x286dataEnglishUnited States
        RT_DIALOG0x64b880x13adataEnglishUnited States
        RT_DIALOG0x64cc40xecdataEnglishUnited States
        RT_DIALOG0x64db00x12edataEnglishUnited States
        RT_DIALOG0x64ee00x338dataEnglishUnited States
        RT_DIALOG0x652180x252dataEnglishUnited States
        RT_STRING0x6546c0x1e2dataEnglishUnited States
        RT_STRING0x656500x1ccdataEnglishUnited States
        RT_STRING0x6581c0x1b8dataEnglishUnited States
        RT_STRING0x659d40x146Hitachi SH big-endian COFF object file, not stripped, 17152 sections, symbol offset=0x73006500EnglishUnited States
        RT_STRING0x65b1c0x446dataEnglishUnited States
        RT_STRING0x65f640x166dataEnglishUnited States
        RT_STRING0x660cc0x152dataEnglishUnited States
        RT_STRING0x662200x10adataEnglishUnited States
        RT_STRING0x6632c0xbcdataEnglishUnited States
        RT_STRING0x663e80xd6dataEnglishUnited States
        RT_GROUP_ICON0x664c00x14data
        RT_MANIFEST0x664d40x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

        Imports

        DLLImport
        KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer
        gdiplus.dllGdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

        Possible Origin

        Language of compilation systemCountry where language is spokenMap
        EnglishUnited States

        Network Behavior

        Snort IDS Alerts

        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
        10/11/21-22:29:37.142185UDP254DNS SPOOF query response with TTL of 1 min. and no authority53539108.8.8.8192.168.2.3
        10/11/21-22:29:55.963084UDP254DNS SPOOF query response with TTL of 1 min. and no authority53521308.8.8.8192.168.2.3
        10/11/21-22:31:05.092278UDP254DNS SPOOF query response with TTL of 1 min. and no authority53553938.8.8.8192.168.2.3

        Network Port Distribution

        TCP Packets

        TimestampSource PortDest PortSource IPDest IP
        Oct 11, 2021 22:29:16.698590994 CEST4974648562192.168.2.3197.210.84.227
        Oct 11, 2021 22:29:19.845594883 CEST4974648562192.168.2.3197.210.84.227
        Oct 11, 2021 22:29:25.846190929 CEST4974648562192.168.2.3197.210.84.227
        Oct 11, 2021 22:29:37.144545078 CEST4974748562192.168.2.3197.210.84.227
        Oct 11, 2021 22:29:40.144151926 CEST4974748562192.168.2.3197.210.84.227
        Oct 11, 2021 22:29:46.160325050 CEST4974748562192.168.2.3197.210.84.227
        Oct 11, 2021 22:29:55.965475082 CEST4976148562192.168.2.3197.210.84.227
        Oct 11, 2021 22:29:59.067702055 CEST4976148562192.168.2.3197.210.84.227
        Oct 11, 2021 22:30:05.068166971 CEST4976148562192.168.2.3197.210.84.227
        Oct 11, 2021 22:30:14.101757050 CEST4976448562192.168.2.3185.19.85.175
        Oct 11, 2021 22:30:14.113111973 CEST4856249764185.19.85.175192.168.2.3
        Oct 11, 2021 22:30:14.678342104 CEST4976448562192.168.2.3185.19.85.175
        Oct 11, 2021 22:30:14.696242094 CEST4856249764185.19.85.175192.168.2.3
        Oct 11, 2021 22:30:15.366213083 CEST4976448562192.168.2.3185.19.85.175
        Oct 11, 2021 22:30:15.383961916 CEST4856249764185.19.85.175192.168.2.3
        Oct 11, 2021 22:30:19.411773920 CEST4979148562192.168.2.3185.19.85.175
        Oct 11, 2021 22:30:19.437004089 CEST4856249791185.19.85.175192.168.2.3
        Oct 11, 2021 22:30:19.944379091 CEST4979148562192.168.2.3185.19.85.175
        Oct 11, 2021 22:30:19.963534117 CEST4856249791185.19.85.175192.168.2.3
        Oct 11, 2021 22:30:20.476780891 CEST4979148562192.168.2.3185.19.85.175
        Oct 11, 2021 22:30:20.520962954 CEST4856249791185.19.85.175192.168.2.3
        Oct 11, 2021 22:30:24.540857077 CEST4980348562192.168.2.3185.19.85.175
        Oct 11, 2021 22:30:24.558051109 CEST4856249803185.19.85.175192.168.2.3
        Oct 11, 2021 22:30:25.075697899 CEST4980348562192.168.2.3185.19.85.175
        Oct 11, 2021 22:30:25.093930006 CEST4856249803185.19.85.175192.168.2.3
        Oct 11, 2021 22:30:25.607342958 CEST4980348562192.168.2.3185.19.85.175
        Oct 11, 2021 22:30:25.618659973 CEST4856249803185.19.85.175192.168.2.3
        Oct 11, 2021 22:30:30.090179920 CEST4980648562192.168.2.3197.210.84.227
        Oct 11, 2021 22:30:33.101931095 CEST4980648562192.168.2.3197.210.84.227
        Oct 11, 2021 22:30:39.102528095 CEST4980648562192.168.2.3197.210.84.227
        Oct 11, 2021 22:30:47.814519882 CEST4982848562192.168.2.3197.210.84.227
        Oct 11, 2021 22:30:50.824409962 CEST4982848562192.168.2.3197.210.84.227
        Oct 11, 2021 22:30:56.826141119 CEST4982848562192.168.2.3197.210.84.227
        Oct 11, 2021 22:31:05.103924990 CEST4982948562192.168.2.3197.210.84.227

        UDP Packets

        TimestampSource PortDest PortSource IPDest IP
        Oct 11, 2021 22:29:16.670052052 CEST5280653192.168.2.38.8.8.8
        Oct 11, 2021 22:29:16.686587095 CEST53528068.8.8.8192.168.2.3
        Oct 11, 2021 22:29:37.122045994 CEST5391053192.168.2.38.8.8.8
        Oct 11, 2021 22:29:37.142184973 CEST53539108.8.8.8192.168.2.3
        Oct 11, 2021 22:29:55.940438032 CEST5213053192.168.2.38.8.8.8
        Oct 11, 2021 22:29:55.963083982 CEST53521308.8.8.8192.168.2.3
        Oct 11, 2021 22:30:30.033157110 CEST6098253192.168.2.38.8.8.8
        Oct 11, 2021 22:30:30.051671982 CEST53609828.8.8.8192.168.2.3
        Oct 11, 2021 22:30:47.756072044 CEST5153953192.168.2.38.8.8.8
        Oct 11, 2021 22:30:47.775213003 CEST53515398.8.8.8192.168.2.3
        Oct 11, 2021 22:31:05.071070910 CEST5539353192.168.2.38.8.8.8
        Oct 11, 2021 22:31:05.092278004 CEST53553938.8.8.8192.168.2.3

        DNS Queries

        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
        Oct 11, 2021 22:29:16.670052052 CEST192.168.2.38.8.8.80xcd37Standard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
        Oct 11, 2021 22:29:37.122045994 CEST192.168.2.38.8.8.80xbdd8Standard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
        Oct 11, 2021 22:29:55.940438032 CEST192.168.2.38.8.8.80xbfbaStandard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
        Oct 11, 2021 22:30:30.033157110 CEST192.168.2.38.8.8.80xda86Standard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
        Oct 11, 2021 22:30:47.756072044 CEST192.168.2.38.8.8.80xa386Standard query (0)strongodss.ddns.netA (IP address)IN (0x0001)
        Oct 11, 2021 22:31:05.071070910 CEST192.168.2.38.8.8.80x8ebStandard query (0)strongodss.ddns.netA (IP address)IN (0x0001)

        DNS Answers

        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
        Oct 11, 2021 22:29:16.686587095 CEST8.8.8.8192.168.2.30xcd37No error (0)strongodss.ddns.net197.210.84.227A (IP address)IN (0x0001)
        Oct 11, 2021 22:29:37.142184973 CEST8.8.8.8192.168.2.30xbdd8No error (0)strongodss.ddns.net197.210.84.227A (IP address)IN (0x0001)
        Oct 11, 2021 22:29:55.963083982 CEST8.8.8.8192.168.2.30xbfbaNo error (0)strongodss.ddns.net197.210.84.227A (IP address)IN (0x0001)
        Oct 11, 2021 22:30:30.051671982 CEST8.8.8.8192.168.2.30xda86No error (0)strongodss.ddns.net197.210.84.227A (IP address)IN (0x0001)
        Oct 11, 2021 22:30:47.775213003 CEST8.8.8.8192.168.2.30xa386No error (0)strongodss.ddns.net197.210.84.227A (IP address)IN (0x0001)
        Oct 11, 2021 22:31:05.092278004 CEST8.8.8.8192.168.2.30x8ebNo error (0)strongodss.ddns.net197.210.84.227A (IP address)IN (0x0001)

        Code Manipulations

        Statistics

        Behavior

        Click to jump to process

        System Behavior

        General

        Start time:22:28:50
        Start date:11/10/2021
        Path:C:\Users\user\Desktop\dUzAkYsvl8.exe
        Wow64 process (32bit):true
        Commandline:'C:\Users\user\Desktop\dUzAkYsvl8.exe'
        Imagebase:0x1f0000
        File size:1021780 bytes
        MD5 hash:9A4A8643DB95A8C0FE52AF8675A5D1B1
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:low

        General

        Start time:22:28:57
        Start date:11/10/2021
        Path:C:\Users\user\77066510\cjlaro.pif
        Wow64 process (32bit):true
        Commandline:'C:\Users\user\77066510\cjlaro.pif' txoxpdjc.qnr
        Imagebase:0x1130000
        File size:776432 bytes
        MD5 hash:279DAE7236F5F2488A4BACDE6027F730
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Yara matches:
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.315424551.0000000004EA3000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.315424551.0000000004EA3000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.315424551.0000000004EA3000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.314549221.0000000004D88000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.314549221.0000000004D88000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.314549221.0000000004D88000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.315994973.0000000004E6E000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.315994973.0000000004E6E000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.315994973.0000000004E6E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.316144236.0000000004E6E000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.316144236.0000000004E6E000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.316144236.0000000004E6E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.314585596.0000000004E06000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.314585596.0000000004E06000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.314585596.0000000004E06000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.315927794.0000000004E06000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.315927794.0000000004E06000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.315927794.0000000004E06000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.316303784.0000000004DD1000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.316303784.0000000004DD1000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.316303784.0000000004DD1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.315764008.0000000004E3A000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.315764008.0000000004E3A000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.315764008.0000000004E3A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.316393189.0000000004D88000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.316393189.0000000004D88000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.316393189.0000000004D88000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.314529331.0000000004E3A000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.314529331.0000000004E3A000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.314529331.0000000004E3A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.314683885.0000000004EA3000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.314683885.0000000004EA3000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.314683885.0000000004EA3000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.314613880.0000000004DD1000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.314613880.0000000004DD1000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.314613880.0000000004DD1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000003.314455197.0000000004DD1000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000003.314455197.0000000004DD1000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.314455197.0000000004DD1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        Antivirus matches:
        • Detection: 100%, Joe Sandbox ML
        • Detection: 37%, Metadefender, Browse
        • Detection: 56%, ReversingLabs
        Reputation:low

        General

        Start time:22:29:02
        Start date:11/10/2021
        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        Imagebase:0x120000
        File size:45152 bytes
        MD5 hash:2867A3817C9245F7CF518524DFD18F28
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:.Net C# or VB.NET
        Yara matches:
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.560410383.0000000006110000.00000004.00020000.sdmp, Author: Florian Roth
        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.560410383.0000000006110000.00000004.00020000.sdmp, Author: Florian Roth
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.555314514.0000000000502000.00000040.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.555314514.0000000000502000.00000040.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.555314514.0000000000502000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.560490990.00000000061B0000.00000004.00020000.sdmp, Author: Florian Roth
        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.560490990.00000000061B0000.00000004.00020000.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.560490990.00000000061B0000.00000004.00020000.sdmp, Author: Joe Security
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.559058243.0000000003A79000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.559058243.0000000003A79000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.560258652.0000000005630000.00000004.00020000.sdmp, Author: Florian Roth
        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000005.00000002.560258652.0000000005630000.00000004.00020000.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.557771680.0000000002A31000.00000004.00000001.sdmp, Author: Joe Security
        Reputation:high

        General

        Start time:22:29:10
        Start date:11/10/2021
        Path:C:\Windows\SysWOW64\schtasks.exe
        Wow64 process (32bit):true
        Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp1EC2.tmp'
        Imagebase:0x10d0000
        File size:185856 bytes
        MD5 hash:15FF7D8324231381BAD48A052F85DF04
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        General

        Start time:22:29:12
        Start date:11/10/2021
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff7f20f0000
        File size:625664 bytes
        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        General

        Start time:22:29:12
        Start date:11/10/2021
        Path:C:\Windows\SysWOW64\schtasks.exe
        Wow64 process (32bit):true
        Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp2720.tmp'
        Imagebase:0x7ff70d6e0000
        File size:185856 bytes
        MD5 hash:15FF7D8324231381BAD48A052F85DF04
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        General

        Start time:22:29:12
        Start date:11/10/2021
        Path:C:\Users\user\77066510\cjlaro.pif
        Wow64 process (32bit):false
        Commandline:'C:\Users\user\77066510\cjlaro.pif' C:\Users\user\77066510\txoxpdjc.qnr
        Imagebase:0x1130000
        File size:776432 bytes
        MD5 hash:279DAE7236F5F2488A4BACDE6027F730
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Reputation:low

        General

        Start time:22:29:12
        Start date:11/10/2021
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff7f20f0000
        File size:625664 bytes
        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        General

        Start time:22:29:14
        Start date:11/10/2021
        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe 0
        Imagebase:0xf50000
        File size:45152 bytes
        MD5 hash:2867A3817C9245F7CF518524DFD18F28
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:.Net C# or VB.NET
        Reputation:high

        General

        Start time:22:29:16
        Start date:11/10/2021
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff7f20f0000
        File size:625664 bytes
        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        General

        Start time:22:29:16
        Start date:11/10/2021
        Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Wow64 process (32bit):true
        Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
        Imagebase:0xd30000
        File size:45152 bytes
        MD5 hash:2867A3817C9245F7CF518524DFD18F28
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:.Net C# or VB.NET
        Antivirus matches:
        • Detection: 0%, Metadefender, Browse
        • Detection: 0%, ReversingLabs

        General

        Start time:22:29:17
        Start date:11/10/2021
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff7f20f0000
        File size:625664 bytes
        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language

        General

        Start time:22:29:18
        Start date:11/10/2021
        Path:C:\Users\user\77066510\cjlaro.pif
        Wow64 process (32bit):true
        Commandline:'C:\Users\user\77066510\cjlaro.pif' C:\Users\user\77066510\txoxpdjc.qnr
        Imagebase:0x1130000
        File size:776432 bytes
        MD5 hash:279DAE7236F5F2488A4BACDE6027F730
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Yara matches:
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.359982101.00000000048CF000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.359982101.00000000048CF000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.359982101.00000000048CF000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.363952559.00000000048CF000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.363952559.00000000048CF000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.363952559.00000000048CF000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.363022584.0000000004938000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.363022584.0000000004938000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.363022584.0000000004938000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.360137256.000000000489A000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.360137256.000000000489A000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.360137256.000000000489A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.364780852.000000000489A000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.364780852.000000000489A000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.364780852.000000000489A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.360433850.0000000004903000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.360433850.0000000004903000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.360433850.0000000004903000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.360821611.000000000496B000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.360821611.000000000496B000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.360821611.000000000496B000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.366099101.0000000004902000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.366099101.0000000004902000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.366099101.0000000004902000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.370237585.0000000004831000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.370237585.0000000004831000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.370237585.0000000004831000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.369728872.0000000004866000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.369728872.0000000004866000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.369728872.0000000004866000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.363076349.00000000039E5000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.363076349.00000000039E5000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.363076349.00000000039E5000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.360037831.0000000004831000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.360037831.0000000004831000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.360037831.0000000004831000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.360563466.0000000004903000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.360563466.0000000004903000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.360563466.0000000004903000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.360697455.0000000004938000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.360697455.0000000004938000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.360697455.0000000004938000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.366655070.0000000004902000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.366655070.0000000004902000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.366655070.0000000004902000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.360273834.0000000004866000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.360273834.0000000004866000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.360273834.0000000004866000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.360354824.00000000048CF000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.360354824.00000000048CF000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.360354824.00000000048CF000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000003.359604202.0000000004866000.00000004.00000001.sdmp, Author: Florian Roth
        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000003.359604202.0000000004866000.00000004.00000001.sdmp, Author: Joe Security
        • Rule: NanoCore, Description: unknown, Source: 00000014.00000003.359604202.0000000004866000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>

        General

        Start time:22:29:21
        Start date:11/10/2021
        Path:C:\Windows\System32\wscript.exe
        Wow64 process (32bit):false
        Commandline:'C:\Windows\System32\WScript.exe' 'C:\Users\user\77066510\Update.vbs'
        Imagebase:0x7ff63d490000
        File size:163840 bytes
        MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language

        Disassembly

        Code Analysis

        Reset < >